1 /*
2 +----------------------------------------------------------------------+
3 | Copyright (c) The PHP Group |
4 +----------------------------------------------------------------------+
5 | This source file is subject to version 3.01 of the PHP license, |
6 | that is bundled with this package in the file LICENSE, and is |
7 | available through the world-wide-web at the following url: |
8 | https://www.php.net/license/3_01.txt |
9 | If you did not receive a copy of the PHP license and are unable to |
10 | obtain it through the world-wide-web, please send a note to |
11 | license@php.net so we can mail you a copy immediately. |
12 +----------------------------------------------------------------------+
13 | Authors: Rasmus Lerdorf <rasmus@php.net> |
14 | Jaakko Hyvätti <jaakko.hyvatti@iki.fi> |
15 | Wez Furlong <wez@thebrainroom.com> |
16 | Gustavo Lopes <cataphract@php.net> |
17 +----------------------------------------------------------------------+
18 */
19
20 /*
21 * HTML entity resources:
22 *
23 * http://www.unicode.org/Public/MAPPINGS/OBSOLETE/UNI2SGML.TXT
24 *
25 * XHTML 1.0 DTD
26 * http://www.w3.org/TR/2002/REC-xhtml1-20020801/dtds.html#h-A2
27 *
28 * From HTML 4.01 strict DTD:
29 * http://www.w3.org/TR/html4/HTMLlat1.ent
30 * http://www.w3.org/TR/html4/HTMLsymbol.ent
31 * http://www.w3.org/TR/html4/HTMLspecial.ent
32 *
33 * HTML 5:
34 * http://dev.w3.org/html5/spec/Overview.html#named-character-references
35 */
36
37 #include "php.h"
38 #ifdef PHP_WIN32
39 #include "config.w32.h"
40 #else
41 #include <php_config.h>
42 #endif
43 #include "php_standard.h"
44 #include "php_string.h"
45 #include "SAPI.h"
46 #include <locale.h>
47 #ifdef HAVE_LANGINFO_H
48 #include <langinfo.h>
49 #endif
50
51 #include <zend_hash.h>
52 #include "html_tables.h"
53
54 /* Macro for disabling flag of translation of non-basic entities where this isn't supported.
55 * Not appropriate for html_entity_decode/htmlspecialchars_decode */
56 #define LIMIT_ALL(all, doctype, charset) do { \
57 (all) = (all) && !CHARSET_PARTIAL_SUPPORT((charset)) && ((doctype) != ENT_HTML_DOC_XML1); \
58 } while (0)
59
60 #define MB_FAILURE(pos, advance) do { \
61 *cursor = pos + (advance); \
62 *status = FAILURE; \
63 return 0; \
64 } while (0)
65
66 #define CHECK_LEN(pos, chars_need) ((str_len - (pos)) >= (chars_need))
67
68 /* valid as single byte character or leading byte */
69 #define utf8_lead(c) ((c) < 0x80 || ((c) >= 0xC2 && (c) <= 0xF4))
70 /* whether it's actually valid depends on other stuff;
71 * this macro cannot check for non-shortest forms, surrogates or
72 * code points above 0x10FFFF */
73 #define utf8_trail(c) ((c) >= 0x80 && (c) <= 0xBF)
74
75 #define gb2312_lead(c) ((c) != 0x8E && (c) != 0x8F && (c) != 0xA0 && (c) != 0xFF)
76 #define gb2312_trail(c) ((c) >= 0xA1 && (c) <= 0xFE)
77
78 #define sjis_lead(c) ((c) != 0x80 && (c) != 0xA0 && (c) < 0xFD)
79 #define sjis_trail(c) ((c) >= 0x40 && (c) != 0x7F && (c) < 0xFD)
80
81 /* {{{ get_default_charset */
get_default_charset(void)82 static char *get_default_charset(void) {
83 if (PG(internal_encoding) && PG(internal_encoding)[0]) {
84 return PG(internal_encoding);
85 } else if (SG(default_charset) && SG(default_charset)[0] ) {
86 return SG(default_charset);
87 }
88 return NULL;
89 }
90 /* }}} */
91
92 /* {{{ get_next_char */
get_next_char(enum entity_charset charset,const unsigned char * str,size_t str_len,size_t * cursor,zend_result * status)93 static inline unsigned int get_next_char(
94 enum entity_charset charset,
95 const unsigned char *str,
96 size_t str_len,
97 size_t *cursor,
98 zend_result *status)
99 {
100 size_t pos = *cursor;
101 unsigned int this_char = 0;
102
103 *status = SUCCESS;
104 assert(pos <= str_len);
105
106 if (!CHECK_LEN(pos, 1))
107 MB_FAILURE(pos, 1);
108
109 switch (charset) {
110 case cs_utf_8:
111 {
112 /* We'll follow strategy 2. from section 3.6.1 of UTR #36:
113 * "In a reported illegal byte sequence, do not include any
114 * non-initial byte that encodes a valid character or is a leading
115 * byte for a valid sequence." */
116 unsigned char c;
117 c = str[pos];
118 if (c < 0x80) {
119 this_char = c;
120 pos++;
121 } else if (c < 0xc2) {
122 MB_FAILURE(pos, 1);
123 } else if (c < 0xe0) {
124 if (!CHECK_LEN(pos, 2))
125 MB_FAILURE(pos, 1);
126
127 if (!utf8_trail(str[pos + 1])) {
128 MB_FAILURE(pos, utf8_lead(str[pos + 1]) ? 1 : 2);
129 }
130 this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f);
131 if (this_char < 0x80) { /* non-shortest form */
132 MB_FAILURE(pos, 2);
133 }
134 pos += 2;
135 } else if (c < 0xf0) {
136 size_t avail = str_len - pos;
137
138 if (avail < 3 ||
139 !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2])) {
140 if (avail < 2 || utf8_lead(str[pos + 1]))
141 MB_FAILURE(pos, 1);
142 else if (avail < 3 || utf8_lead(str[pos + 2]))
143 MB_FAILURE(pos, 2);
144 else
145 MB_FAILURE(pos, 3);
146 }
147
148 this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f);
149 if (this_char < 0x800) { /* non-shortest form */
150 MB_FAILURE(pos, 3);
151 } else if (this_char >= 0xd800 && this_char <= 0xdfff) { /* surrogate */
152 MB_FAILURE(pos, 3);
153 }
154 pos += 3;
155 } else if (c < 0xf5) {
156 size_t avail = str_len - pos;
157
158 if (avail < 4 ||
159 !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2]) ||
160 !utf8_trail(str[pos + 3])) {
161 if (avail < 2 || utf8_lead(str[pos + 1]))
162 MB_FAILURE(pos, 1);
163 else if (avail < 3 || utf8_lead(str[pos + 2]))
164 MB_FAILURE(pos, 2);
165 else if (avail < 4 || utf8_lead(str[pos + 3]))
166 MB_FAILURE(pos, 3);
167 else
168 MB_FAILURE(pos, 4);
169 }
170
171 this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f);
172 if (this_char < 0x10000 || this_char > 0x10FFFF) { /* non-shortest form or outside range */
173 MB_FAILURE(pos, 4);
174 }
175 pos += 4;
176 } else {
177 MB_FAILURE(pos, 1);
178 }
179 }
180 break;
181
182 case cs_big5:
183 /* reference http://demo.icu-project.org/icu-bin/convexp?conv=big5 */
184 {
185 unsigned char c = str[pos];
186 if (c >= 0x81 && c <= 0xFE) {
187 unsigned char next;
188 if (!CHECK_LEN(pos, 2))
189 MB_FAILURE(pos, 1);
190
191 next = str[pos + 1];
192
193 if ((next >= 0x40 && next <= 0x7E) ||
194 (next >= 0xA1 && next <= 0xFE)) {
195 this_char = (c << 8) | next;
196 } else {
197 MB_FAILURE(pos, 1);
198 }
199 pos += 2;
200 } else {
201 this_char = c;
202 pos += 1;
203 }
204 }
205 break;
206
207 case cs_big5hkscs:
208 {
209 unsigned char c = str[pos];
210 if (c >= 0x81 && c <= 0xFE) {
211 unsigned char next;
212 if (!CHECK_LEN(pos, 2))
213 MB_FAILURE(pos, 1);
214
215 next = str[pos + 1];
216
217 if ((next >= 0x40 && next <= 0x7E) ||
218 (next >= 0xA1 && next <= 0xFE)) {
219 this_char = (c << 8) | next;
220 } else if (next != 0x80 && next != 0xFF) {
221 MB_FAILURE(pos, 1);
222 } else {
223 MB_FAILURE(pos, 2);
224 }
225 pos += 2;
226 } else {
227 this_char = c;
228 pos += 1;
229 }
230 }
231 break;
232
233 case cs_gb2312: /* EUC-CN */
234 {
235 unsigned char c = str[pos];
236 if (c >= 0xA1 && c <= 0xFE) {
237 unsigned char next;
238 if (!CHECK_LEN(pos, 2))
239 MB_FAILURE(pos, 1);
240
241 next = str[pos + 1];
242
243 if (gb2312_trail(next)) {
244 this_char = (c << 8) | next;
245 } else if (gb2312_lead(next)) {
246 MB_FAILURE(pos, 1);
247 } else {
248 MB_FAILURE(pos, 2);
249 }
250 pos += 2;
251 } else if (gb2312_lead(c)) {
252 this_char = c;
253 pos += 1;
254 } else {
255 MB_FAILURE(pos, 1);
256 }
257 }
258 break;
259
260 case cs_sjis:
261 {
262 unsigned char c = str[pos];
263 if ((c >= 0x81 && c <= 0x9F) || (c >= 0xE0 && c <= 0xFC)) {
264 unsigned char next;
265 if (!CHECK_LEN(pos, 2))
266 MB_FAILURE(pos, 1);
267
268 next = str[pos + 1];
269
270 if (sjis_trail(next)) {
271 this_char = (c << 8) | next;
272 } else if (sjis_lead(next)) {
273 MB_FAILURE(pos, 1);
274 } else {
275 MB_FAILURE(pos, 2);
276 }
277 pos += 2;
278 } else if (c < 0x80 || (c >= 0xA1 && c <= 0xDF)) {
279 this_char = c;
280 pos += 1;
281 } else {
282 MB_FAILURE(pos, 1);
283 }
284 }
285 break;
286
287 case cs_eucjp:
288 {
289 unsigned char c = str[pos];
290
291 if (c >= 0xA1 && c <= 0xFE) {
292 unsigned next;
293 if (!CHECK_LEN(pos, 2))
294 MB_FAILURE(pos, 1);
295 next = str[pos + 1];
296
297 if (next >= 0xA1 && next <= 0xFE) {
298 /* this a jis kanji char */
299 this_char = (c << 8) | next;
300 } else {
301 MB_FAILURE(pos, (next != 0xA0 && next != 0xFF) ? 1 : 2);
302 }
303 pos += 2;
304 } else if (c == 0x8E) {
305 unsigned next;
306 if (!CHECK_LEN(pos, 2))
307 MB_FAILURE(pos, 1);
308
309 next = str[pos + 1];
310 if (next >= 0xA1 && next <= 0xDF) {
311 /* JIS X 0201 kana */
312 this_char = (c << 8) | next;
313 } else {
314 MB_FAILURE(pos, (next != 0xA0 && next != 0xFF) ? 1 : 2);
315 }
316 pos += 2;
317 } else if (c == 0x8F) {
318 size_t avail = str_len - pos;
319
320 if (avail < 3 || !(str[pos + 1] >= 0xA1 && str[pos + 1] <= 0xFE) ||
321 !(str[pos + 2] >= 0xA1 && str[pos + 2] <= 0xFE)) {
322 if (avail < 2 || (str[pos + 1] != 0xA0 && str[pos + 1] != 0xFF))
323 MB_FAILURE(pos, 1);
324 else if (avail < 3 || (str[pos + 2] != 0xA0 && str[pos + 2] != 0xFF))
325 MB_FAILURE(pos, 2);
326 else
327 MB_FAILURE(pos, 3);
328 } else {
329 /* JIS X 0212 hojo-kanji */
330 this_char = (c << 16) | (str[pos + 1] << 8) | str[pos + 2];
331 }
332 pos += 3;
333 } else if (c != 0xA0 && c != 0xFF) {
334 /* character encoded in 1 code unit */
335 this_char = c;
336 pos += 1;
337 } else {
338 MB_FAILURE(pos, 1);
339 }
340 }
341 break;
342 default:
343 /* single-byte charsets */
344 this_char = str[pos++];
345 break;
346 }
347
348 *cursor = pos;
349 return this_char;
350 }
351 /* }}} */
352
353 /* {{{ php_next_utf8_char
354 * Public interface for get_next_char used with UTF-8 */
php_next_utf8_char(const unsigned char * str,size_t str_len,size_t * cursor,zend_result * status)355 PHPAPI unsigned int php_next_utf8_char(
356 const unsigned char *str,
357 size_t str_len,
358 size_t *cursor,
359 zend_result *status)
360 {
361 return get_next_char(cs_utf_8, str, str_len, cursor, status);
362 }
363 /* }}} */
364
365 /* {{{ entity_charset determine_charset
366 * Returns the charset identifier based on an explicitly provided charset,
367 * the internal_encoding and default_charset ini settings, or UTF-8 by default. */
determine_charset(const char * charset_hint,bool quiet)368 static enum entity_charset determine_charset(const char *charset_hint, bool quiet)
369 {
370 if (!charset_hint || !*charset_hint) {
371 charset_hint = get_default_charset();
372 }
373
374 if (charset_hint && *charset_hint) {
375 size_t len = strlen(charset_hint);
376 /* now walk the charset map and look for the codeset */
377 for (size_t i = 0; i < sizeof(charset_map)/sizeof(charset_map[0]); i++) {
378 if (len == charset_map[i].codeset_len &&
379 zend_binary_strcasecmp(charset_hint, len, charset_map[i].codeset, len) == 0) {
380 return charset_map[i].charset;
381 }
382 }
383
384 if (!quiet) {
385 php_error_docref(NULL, E_WARNING, "Charset \"%s\" is not supported, assuming UTF-8",
386 charset_hint);
387 }
388 }
389
390 return cs_utf_8;
391 }
392 /* }}} */
393
394 /* {{{ php_utf32_utf8 */
php_utf32_utf8(unsigned char * buf,unsigned k)395 static inline size_t php_utf32_utf8(unsigned char *buf, unsigned k)
396 {
397 size_t retval = 0;
398
399 /* assert(0x0 <= k <= 0x10FFFF); */
400
401 if (k < 0x80) {
402 buf[0] = k;
403 retval = 1;
404 } else if (k < 0x800) {
405 buf[0] = 0xc0 | (k >> 6);
406 buf[1] = 0x80 | (k & 0x3f);
407 retval = 2;
408 } else if (k < 0x10000) {
409 buf[0] = 0xe0 | (k >> 12);
410 buf[1] = 0x80 | ((k >> 6) & 0x3f);
411 buf[2] = 0x80 | (k & 0x3f);
412 retval = 3;
413 } else {
414 buf[0] = 0xf0 | (k >> 18);
415 buf[1] = 0x80 | ((k >> 12) & 0x3f);
416 buf[2] = 0x80 | ((k >> 6) & 0x3f);
417 buf[3] = 0x80 | (k & 0x3f);
418 retval = 4;
419 }
420 /* UTF-8 has been restricted to max 4 bytes since RFC 3629 */
421
422 return retval;
423 }
424 /* }}} */
425
426 /* {{{ unimap_bsearc_cmp
427 * Binary search of unicode code points in unicode <--> charset mapping.
428 * Returns the code point in the target charset (whose mapping table was given) or 0 if
429 * the unicode code point is not in the table.
430 */
unimap_bsearch(const uni_to_enc * table,unsigned code_key_a,size_t num)431 static inline unsigned char unimap_bsearch(const uni_to_enc *table, unsigned code_key_a, size_t num)
432 {
433 const uni_to_enc *l = table,
434 *h = &table[num-1],
435 *m;
436 unsigned short code_key;
437
438 /* we have no mappings outside the BMP */
439 if (code_key_a > 0xFFFFU)
440 return 0;
441
442 code_key = (unsigned short) code_key_a;
443
444 while (l <= h) {
445 m = l + (h - l) / 2;
446 if (code_key < m->un_code_point)
447 h = m - 1;
448 else if (code_key > m->un_code_point)
449 l = m + 1;
450 else
451 return m->cs_code;
452 }
453 return 0;
454 }
455 /* }}} */
456
457 /* {{{ map_from_unicode */
map_from_unicode(unsigned code,enum entity_charset charset,unsigned * res)458 static inline int map_from_unicode(unsigned code, enum entity_charset charset, unsigned *res)
459 {
460 unsigned char found;
461 const uni_to_enc *table;
462 size_t table_size;
463
464 switch (charset) {
465 case cs_8859_1:
466 /* identity mapping of code points to unicode */
467 if (code > 0xFF) {
468 return FAILURE;
469 }
470 *res = code;
471 break;
472
473 case cs_8859_5:
474 if (code <= 0xA0 || code == 0xAD /* soft hyphen */) {
475 *res = code;
476 } else if (code == 0x2116) {
477 *res = 0xF0; /* numero sign */
478 } else if (code == 0xA7) {
479 *res = 0xFD; /* section sign */
480 } else if (code >= 0x0401 && code <= 0x045F) {
481 if (code == 0x040D || code == 0x0450 || code == 0x045D)
482 return FAILURE;
483 *res = code - 0x360;
484 } else {
485 return FAILURE;
486 }
487 break;
488
489 case cs_8859_15:
490 if (code < 0xA4 || (code > 0xBE && code <= 0xFF)) {
491 *res = code;
492 } else { /* between A4 and 0xBE */
493 found = unimap_bsearch(unimap_iso885915,
494 code, sizeof(unimap_iso885915) / sizeof(*unimap_iso885915));
495 if (found)
496 *res = found;
497 else
498 return FAILURE;
499 }
500 break;
501
502 case cs_cp1252:
503 if (code <= 0x7F || (code >= 0xA0 && code <= 0xFF)) {
504 *res = code;
505 } else {
506 found = unimap_bsearch(unimap_win1252,
507 code, sizeof(unimap_win1252) / sizeof(*unimap_win1252));
508 if (found)
509 *res = found;
510 else
511 return FAILURE;
512 }
513 break;
514
515 case cs_macroman:
516 if (code == 0x7F)
517 return FAILURE;
518 table = unimap_macroman;
519 table_size = sizeof(unimap_macroman) / sizeof(*unimap_macroman);
520 goto table_over_7F;
521 case cs_cp1251:
522 table = unimap_win1251;
523 table_size = sizeof(unimap_win1251) / sizeof(*unimap_win1251);
524 goto table_over_7F;
525 case cs_koi8r:
526 table = unimap_koi8r;
527 table_size = sizeof(unimap_koi8r) / sizeof(*unimap_koi8r);
528 goto table_over_7F;
529 case cs_cp866:
530 table = unimap_cp866;
531 table_size = sizeof(unimap_cp866) / sizeof(*unimap_cp866);
532
533 table_over_7F:
534 if (code <= 0x7F) {
535 *res = code;
536 } else {
537 found = unimap_bsearch(table, code, table_size);
538 if (found)
539 *res = found;
540 else
541 return FAILURE;
542 }
543 break;
544
545 /* from here on, only map the possible characters in the ASCII range.
546 * to improve support here, it's a matter of building the unicode mappings.
547 * See <http://www.unicode.org/Public/6.0.0/ucd/Unihan.zip> */
548 case cs_sjis:
549 case cs_eucjp:
550 /* we interpret 0x5C as the Yen symbol. This is not universal.
551 * See <http://www.w3.org/Submission/japanese-xml/#ambiguity_of_yen> */
552 if (code >= 0x20 && code <= 0x7D) {
553 if (code == 0x5C)
554 return FAILURE;
555 *res = code;
556 } else {
557 return FAILURE;
558 }
559 break;
560
561 case cs_big5:
562 case cs_big5hkscs:
563 case cs_gb2312:
564 if (code >= 0x20 && code <= 0x7D) {
565 *res = code;
566 } else {
567 return FAILURE;
568 }
569 break;
570
571 default:
572 return FAILURE;
573 }
574
575 return SUCCESS;
576 }
577 /* }}} */
578
579 /* {{{ */
map_to_unicode(unsigned code,const enc_to_uni * table,unsigned * res)580 static inline void map_to_unicode(unsigned code, const enc_to_uni *table, unsigned *res)
581 {
582 /* only single byte encodings are currently supported; assumed code <= 0xFF */
583 *res = table->inner[ENT_ENC_TO_UNI_STAGE1(code)]->uni_cp[ENT_ENC_TO_UNI_STAGE2(code)];
584 }
585 /* }}} */
586
587 /* {{{ unicode_cp_is_allowed */
unicode_cp_is_allowed(unsigned uni_cp,int document_type)588 static inline int unicode_cp_is_allowed(unsigned uni_cp, int document_type)
589 {
590 /* XML 1.0 HTML 4.01 HTML 5
591 * 0x09..0x0A 0x09..0x0A 0x09..0x0A
592 * 0x0D 0x0D 0x0C..0x0D
593 * 0x0020..0xD7FF 0x20..0x7E 0x20..0x7E
594 * 0x00A0..0xD7FF 0x00A0..0xD7FF
595 * 0xE000..0xFFFD 0xE000..0x10FFFF 0xE000..0xFDCF
596 * 0x010000..0x10FFFF 0xFDF0..0x10FFFF (*)
597 *
598 * (*) exclude code points where ((code & 0xFFFF) >= 0xFFFE)
599 *
600 * References:
601 * XML 1.0: <http://www.w3.org/TR/REC-xml/#charsets>
602 * HTML 4.01: <http://www.w3.org/TR/1999/PR-html40-19990824/sgml/sgmldecl.html>
603 * HTML 5: <http://dev.w3.org/html5/spec/Overview.html#preprocessing-the-input-stream>
604 *
605 * Not sure this is the relevant part for HTML 5, though. I opted to
606 * disallow the characters that would result in a parse error when
607 * preprocessing of the input stream. See also section 8.1.3.
608 *
609 * It's unclear if XHTML 1.0 allows C1 characters. I'll opt to apply to
610 * XHTML 1.0 the same rules as for XML 1.0.
611 * See <http://cmsmcq.com/2007/C1.xml>.
612 */
613
614 switch (document_type) {
615 case ENT_HTML_DOC_HTML401:
616 return (uni_cp >= 0x20 && uni_cp <= 0x7E) ||
617 (uni_cp == 0x0A || uni_cp == 0x09 || uni_cp == 0x0D) ||
618 (uni_cp >= 0xA0 && uni_cp <= 0xD7FF) ||
619 (uni_cp >= 0xE000 && uni_cp <= 0x10FFFF);
620 case ENT_HTML_DOC_HTML5:
621 return (uni_cp >= 0x20 && uni_cp <= 0x7E) ||
622 (uni_cp >= 0x09 && uni_cp <= 0x0D && uni_cp != 0x0B) || /* form feed U+0C allowed */
623 (uni_cp >= 0xA0 && uni_cp <= 0xD7FF) ||
624 (uni_cp >= 0xE000 && uni_cp <= 0x10FFFF &&
625 ((uni_cp & 0xFFFF) < 0xFFFE) && /* last two of each plane (nonchars) disallowed */
626 (uni_cp < 0xFDD0 || uni_cp > 0xFDEF)); /* U+FDD0-U+FDEF (nonchars) disallowed */
627 case ENT_HTML_DOC_XHTML:
628 case ENT_HTML_DOC_XML1:
629 return (uni_cp >= 0x20 && uni_cp <= 0xD7FF) ||
630 (uni_cp == 0x0A || uni_cp == 0x09 || uni_cp == 0x0D) ||
631 (uni_cp >= 0xE000 && uni_cp <= 0x10FFFF && uni_cp != 0xFFFE && uni_cp != 0xFFFF);
632 default:
633 return 1;
634 }
635 }
636 /* }}} */
637
638 /* {{{ unicode_cp_is_allowed */
numeric_entity_is_allowed(unsigned uni_cp,int document_type)639 static inline int numeric_entity_is_allowed(unsigned uni_cp, int document_type)
640 {
641 /* less restrictive than unicode_cp_is_allowed */
642 switch (document_type) {
643 case ENT_HTML_DOC_HTML401:
644 /* all non-SGML characters (those marked with UNUSED in DESCSET) should be
645 * representable with numeric entities */
646 return uni_cp <= 0x10FFFF;
647 case ENT_HTML_DOC_HTML5:
648 /* 8.1.4. The numeric character reference forms described above are allowed to
649 * reference any Unicode code point other than U+0000, U+000D, permanently
650 * undefined Unicode characters (noncharacters), and control characters other
651 * than space characters (U+0009, U+000A, U+000C and U+000D) */
652 /* seems to allow surrogate characters, then */
653 return (uni_cp >= 0x20 && uni_cp <= 0x7E) ||
654 (uni_cp >= 0x09 && uni_cp <= 0x0C && uni_cp != 0x0B) || /* form feed U+0C allowed, but not U+0D */
655 (uni_cp >= 0xA0 && uni_cp <= 0x10FFFF &&
656 ((uni_cp & 0xFFFF) < 0xFFFE) && /* last two of each plane (nonchars) disallowed */
657 (uni_cp < 0xFDD0 || uni_cp > 0xFDEF)); /* U+FDD0-U+FDEF (nonchars) disallowed */
658 case ENT_HTML_DOC_XHTML:
659 case ENT_HTML_DOC_XML1:
660 /* OTOH, XML 1.0 requires "character references to match the production for Char
661 * See <http://www.w3.org/TR/REC-xml/#NT-CharRef> */
662 return unicode_cp_is_allowed(uni_cp, document_type);
663 default:
664 return 1;
665 }
666 }
667 /* }}} */
668
669 /* {{{ process_numeric_entity
670 * Auxiliary function to traverse_for_entities.
671 * On input, *buf should point to the first character after # and on output, it's the last
672 * byte read, no matter if there was success or insuccess.
673 */
process_numeric_entity(const char ** buf,unsigned * code_point)674 static inline int process_numeric_entity(const char **buf, unsigned *code_point)
675 {
676 zend_long code_l;
677 int hexadecimal = (**buf == 'x' || **buf == 'X'); /* TODO: XML apparently disallows "X" */
678 char *endptr;
679
680 if (hexadecimal)
681 (*buf)++;
682
683 /* strtol allows whitespace and other stuff in the beginning
684 * we're not interested */
685 if ((hexadecimal && !isxdigit(**buf)) ||
686 (!hexadecimal && !isdigit(**buf))) {
687 return FAILURE;
688 }
689
690 code_l = ZEND_STRTOL(*buf, &endptr, hexadecimal ? 16 : 10);
691 /* we're guaranteed there were valid digits, so *endptr > buf */
692 *buf = endptr;
693
694 if (**buf != ';')
695 return FAILURE;
696
697 /* many more are invalid, but that depends on whether it's HTML
698 * (and which version) or XML. */
699 if (code_l > Z_L(0x10FFFF))
700 return FAILURE;
701
702 if (code_point != NULL)
703 *code_point = (unsigned)code_l;
704
705 return SUCCESS;
706 }
707 /* }}} */
708
709 /* {{{ process_named_entity */
process_named_entity_html(const char ** buf,const char ** start,size_t * length)710 static inline int process_named_entity_html(const char **buf, const char **start, size_t *length)
711 {
712 *start = *buf;
713
714 /* "&" is represented by a 0x26 in all supported encodings. That means
715 * the byte after represents a character or is the leading byte of a
716 * sequence of 8-bit code units. If in the ranges below, it represents
717 * necessarily an alpha character because none of the supported encodings
718 * has an overlap with ASCII in the leading byte (only on the second one) */
719 while ((**buf >= 'a' && **buf <= 'z') ||
720 (**buf >= 'A' && **buf <= 'Z') ||
721 (**buf >= '0' && **buf <= '9')) {
722 (*buf)++;
723 }
724
725 if (**buf != ';')
726 return FAILURE;
727
728 /* cast to size_t OK as the quantity is always non-negative */
729 *length = *buf - *start;
730
731 if (*length == 0)
732 return FAILURE;
733
734 return SUCCESS;
735 }
736 /* }}} */
737
738 /* {{{ resolve_named_entity_html */
resolve_named_entity_html(const char * start,size_t length,const entity_ht * ht,unsigned * uni_cp1,unsigned * uni_cp2)739 static int resolve_named_entity_html(const char *start, size_t length, const entity_ht *ht, unsigned *uni_cp1, unsigned *uni_cp2)
740 {
741 const entity_cp_map *s;
742 zend_ulong hash = zend_inline_hash_func(start, length);
743
744 s = ht->buckets[hash % ht->num_elems];
745 while (s->entity) {
746 if (s->entity_len == length) {
747 if (memcmp(start, s->entity, length) == 0) {
748 *uni_cp1 = s->codepoint1;
749 *uni_cp2 = s->codepoint2;
750 return SUCCESS;
751 }
752 }
753 s++;
754 }
755 return FAILURE;
756 }
757 /* }}} */
758
write_octet_sequence(unsigned char * buf,enum entity_charset charset,unsigned code)759 static inline size_t write_octet_sequence(unsigned char *buf, enum entity_charset charset, unsigned code) {
760 /* code is not necessarily a unicode code point */
761 switch (charset) {
762 case cs_utf_8:
763 return php_utf32_utf8(buf, code);
764
765 case cs_8859_1:
766 case cs_cp1252:
767 case cs_8859_15:
768 case cs_koi8r:
769 case cs_cp1251:
770 case cs_8859_5:
771 case cs_cp866:
772 case cs_macroman:
773 /* single byte stuff */
774 *buf = code;
775 return 1;
776
777 case cs_big5:
778 case cs_big5hkscs:
779 case cs_sjis:
780 case cs_gb2312:
781 /* we don't have complete unicode mappings for these yet in entity_decode,
782 * and we opt to pass through the octet sequences for these in htmlentities
783 * instead of converting to an int and then converting back. */
784 #if 0
785 return php_mb2_int_to_char(buf, code);
786 #else
787 #if ZEND_DEBUG
788 assert(code <= 0xFFU);
789 #endif
790 *buf = code;
791 return 1;
792 #endif
793
794 case cs_eucjp:
795 #if 0 /* idem */
796 return php_mb2_int_to_char(buf, code);
797 #else
798 #if ZEND_DEBUG
799 assert(code <= 0xFFU);
800 #endif
801 *buf = code;
802 return 1;
803 #endif
804
805 default:
806 assert(0);
807 return 0;
808 }
809 }
810
811 /* {{{ traverse_for_entities
812 * Auxiliary function to php_unescape_html_entities().
813 * - The argument "all" determines if all numeric entities are decode or only those
814 * that correspond to quotes (depending on quote_style).
815 */
816 /* maximum expansion (factor 1.2) for HTML 5 with ≫⃒ and ≪⃒ */
817 /* +2 is 1 because of rest (probably unnecessary), 1 because of terminating 0 */
818 #define TRAVERSE_FOR_ENTITIES_EXPAND_SIZE(oldlen) ((oldlen) + (oldlen) / 5 + 2)
traverse_for_entities(const char * old,size_t oldlen,zend_string * ret,int all,int flags,const entity_ht * inv_map,enum entity_charset charset)819 static void traverse_for_entities(
820 const char *old,
821 size_t oldlen,
822 zend_string *ret, /* should have allocated TRAVERSE_FOR_ENTITIES_EXPAND_SIZE(olden) */
823 int all,
824 int flags,
825 const entity_ht *inv_map,
826 enum entity_charset charset)
827 {
828 const char *p,
829 *lim;
830 char *q;
831 int doctype = flags & ENT_HTML_DOC_TYPE_MASK;
832
833 lim = old + oldlen; /* terminator address */
834 assert(*lim == '\0');
835
836 for (p = old, q = ZSTR_VAL(ret); p < lim;) {
837 unsigned code, code2 = 0;
838 const char *next = NULL; /* when set, next > p, otherwise possible inf loop */
839
840 /* Shift JIS, Big5 and HKSCS use multi-byte encodings where an
841 * ASCII range byte can be part of a multi-byte sequence.
842 * However, they start at 0x40, therefore if we find a 0x26 byte,
843 * we're sure it represents the '&' character. */
844
845 /* assumes there are no single-char entities */
846 if (p[0] != '&' || (p + 3 >= lim)) {
847 *(q++) = *(p++);
848 continue;
849 }
850
851 /* now p[3] is surely valid and is no terminator */
852
853 /* numerical entity */
854 if (p[1] == '#') {
855 next = &p[2];
856 if (process_numeric_entity(&next, &code) == FAILURE)
857 goto invalid_code;
858
859 /* If we're in htmlspecialchars_decode, we're only decoding entities
860 * that represent &, <, >, " and '. Is this one of them? */
861 if (!all && (code > 63U ||
862 stage3_table_be_apos_00000[code].data.ent.entity == NULL))
863 goto invalid_code;
864
865 /* are we allowed to decode this entity in this document type?
866 * HTML 5 is the only that has a character that cannot be used in
867 * a numeric entity but is allowed literally (U+000D). The
868 * unoptimized version would be ... || !numeric_entity_is_allowed(code) */
869 if (!unicode_cp_is_allowed(code, doctype) ||
870 (doctype == ENT_HTML_DOC_HTML5 && code == 0x0D))
871 goto invalid_code;
872 } else {
873 const char *start;
874 size_t ent_len;
875
876 next = &p[1];
877 start = next;
878
879 if (process_named_entity_html(&next, &start, &ent_len) == FAILURE)
880 goto invalid_code;
881
882 if (resolve_named_entity_html(start, ent_len, inv_map, &code, &code2) == FAILURE) {
883 if (doctype == ENT_HTML_DOC_XHTML && ent_len == 4 && start[0] == 'a'
884 && start[1] == 'p' && start[2] == 'o' && start[3] == 's') {
885 /* uses html4 inv_map, which doesn't include apos;. This is a
886 * hack to support it */
887 code = (unsigned) '\'';
888 } else {
889 goto invalid_code;
890 }
891 }
892 }
893
894 assert(*next == ';');
895
896 if (((code == '\'' && !(flags & ENT_HTML_QUOTE_SINGLE)) ||
897 (code == '"' && !(flags & ENT_HTML_QUOTE_DOUBLE)))
898 /* && code2 == '\0' always true for current maps */)
899 goto invalid_code;
900
901 /* UTF-8 doesn't need mapping (ISO-8859-1 doesn't either, but
902 * the call is needed to ensure the codepoint <= U+00FF) */
903 if (charset != cs_utf_8) {
904 /* replace unicode code point */
905 if (map_from_unicode(code, charset, &code) == FAILURE || code2 != 0)
906 goto invalid_code; /* not representable in target charset */
907 }
908
909 q += write_octet_sequence((unsigned char*)q, charset, code);
910 if (code2) {
911 q += write_octet_sequence((unsigned char*)q, charset, code2);
912 }
913
914 /* jump over the valid entity; may go beyond size of buffer; np */
915 p = next + 1;
916 continue;
917
918 invalid_code:
919 for (; p < next; p++) {
920 *(q++) = *p;
921 }
922 }
923
924 *q = '\0';
925 ZSTR_LEN(ret) = (size_t)(q - ZSTR_VAL(ret));
926 }
927 /* }}} */
928
929 /* {{{ unescape_inverse_map */
unescape_inverse_map(int all,int flags)930 static const entity_ht *unescape_inverse_map(int all, int flags)
931 {
932 int document_type = flags & ENT_HTML_DOC_TYPE_MASK;
933
934 if (all) {
935 switch (document_type) {
936 case ENT_HTML_DOC_HTML401:
937 case ENT_HTML_DOC_XHTML: /* but watch out for '...*/
938 return &ent_ht_html4;
939 case ENT_HTML_DOC_HTML5:
940 return &ent_ht_html5;
941 default:
942 return &ent_ht_be_apos;
943 }
944 } else {
945 switch (document_type) {
946 case ENT_HTML_DOC_HTML401:
947 return &ent_ht_be_noapos;
948 default:
949 return &ent_ht_be_apos;
950 }
951 }
952 }
953 /* }}} */
954
955 /* {{{ determine_entity_table
956 * Entity table to use. Note that entity tables are defined in terms of
957 * unicode code points */
determine_entity_table(int all,int doctype)958 static entity_table_opt determine_entity_table(int all, int doctype)
959 {
960 entity_table_opt retval = {0};
961
962 assert(!(doctype == ENT_HTML_DOC_XML1 && all));
963
964 if (all) {
965 retval.ms_table = (doctype == ENT_HTML_DOC_HTML5) ?
966 entity_ms_table_html5 : entity_ms_table_html4;
967 } else {
968 retval.table = (doctype == ENT_HTML_DOC_HTML401) ?
969 stage3_table_be_noapos_00000 : stage3_table_be_apos_00000;
970 }
971 return retval;
972 }
973 /* }}} */
974
975 /* {{{ php_unescape_html_entities
976 * The parameter "all" should be true to decode all possible entities, false to decode
977 * only the basic ones, i.e., those in basic_entities_ex + the numeric entities
978 * that correspond to quotes.
979 */
php_unescape_html_entities(zend_string * str,int all,int flags,const char * hint_charset)980 PHPAPI zend_string *php_unescape_html_entities(zend_string *str, int all, int flags, const char *hint_charset)
981 {
982 zend_string *ret;
983 enum entity_charset charset;
984 const entity_ht *inverse_map;
985 size_t new_size;
986
987 if (!memchr(ZSTR_VAL(str), '&', ZSTR_LEN(str))) {
988 return zend_string_copy(str);
989 }
990
991 if (all) {
992 charset = determine_charset(hint_charset, /* quiet */ 0);
993 } else {
994 charset = cs_8859_1; /* charset shouldn't matter, use ISO-8859-1 for performance */
995 }
996
997 /* don't use LIMIT_ALL! */
998
999 new_size = TRAVERSE_FOR_ENTITIES_EXPAND_SIZE(ZSTR_LEN(str));
1000 if (ZSTR_LEN(str) > new_size) {
1001 /* overflow, refuse to do anything */
1002 return zend_string_copy(str);
1003 }
1004
1005 ret = zend_string_alloc(new_size, 0);
1006
1007 inverse_map = unescape_inverse_map(all, flags);
1008
1009 /* replace numeric entities */
1010 traverse_for_entities(ZSTR_VAL(str), ZSTR_LEN(str), ret, all, flags, inverse_map, charset);
1011
1012 return ret;
1013 }
1014 /* }}} */
1015
php_escape_html_entities(const unsigned char * old,size_t oldlen,int all,int flags,const char * hint_charset)1016 PHPAPI zend_string *php_escape_html_entities(const unsigned char *old, size_t oldlen, int all, int flags, const char *hint_charset)
1017 {
1018 return php_escape_html_entities_ex(old, oldlen, all, flags, hint_charset, 1, /* quiet */ 0);
1019 }
1020
1021 /* {{{ find_entity_for_char */
find_entity_for_char(unsigned int k,enum entity_charset charset,const entity_stage1_row * table,const unsigned char ** entity,size_t * entity_len,const unsigned char * old,size_t oldlen,size_t * cursor)1022 static inline void find_entity_for_char(
1023 unsigned int k,
1024 enum entity_charset charset,
1025 const entity_stage1_row *table,
1026 const unsigned char **entity,
1027 size_t *entity_len,
1028 const unsigned char *old,
1029 size_t oldlen,
1030 size_t *cursor)
1031 {
1032 unsigned stage1_idx = ENT_STAGE1_INDEX(k);
1033 const entity_stage3_row *c;
1034
1035 if (stage1_idx > 0x1D) {
1036 *entity = NULL;
1037 *entity_len = 0;
1038 return;
1039 }
1040
1041 c = &table[stage1_idx][ENT_STAGE2_INDEX(k)][ENT_STAGE3_INDEX(k)];
1042
1043 if (!c->ambiguous) {
1044 *entity = (const unsigned char *)c->data.ent.entity;
1045 *entity_len = c->data.ent.entity_len;
1046 } else {
1047 /* peek at next char */
1048 size_t cursor_before = *cursor;
1049 zend_result status = SUCCESS;
1050 unsigned next_char;
1051
1052 if (!(*cursor < oldlen))
1053 goto no_suitable_2nd;
1054
1055 next_char = get_next_char(charset, old, oldlen, cursor, &status);
1056
1057 if (status == FAILURE)
1058 goto no_suitable_2nd;
1059
1060 {
1061 const entity_multicodepoint_row *s, *e;
1062
1063 s = &c->data.multicodepoint_table[1];
1064 e = s - 1 + c->data.multicodepoint_table[0].leading_entry.size;
1065 /* we could do a binary search but it's not worth it since we have
1066 * at most two entries... */
1067 for ( ; s <= e; s++) {
1068 if (s->normal_entry.second_cp == next_char) {
1069 *entity = (const unsigned char *) s->normal_entry.entity;
1070 *entity_len = s->normal_entry.entity_len;
1071 return;
1072 }
1073 }
1074 }
1075 no_suitable_2nd:
1076 *cursor = cursor_before;
1077 *entity = (const unsigned char *)
1078 c->data.multicodepoint_table[0].leading_entry.default_entity;
1079 *entity_len = c->data.multicodepoint_table[0].leading_entry.default_entity_len;
1080 }
1081 }
1082 /* }}} */
1083
1084 /* {{{ find_entity_for_char_basic */
find_entity_for_char_basic(unsigned int k,const entity_stage3_row * table,const unsigned char ** entity,size_t * entity_len)1085 static inline void find_entity_for_char_basic(
1086 unsigned int k,
1087 const entity_stage3_row *table,
1088 const unsigned char **entity,
1089 size_t *entity_len)
1090 {
1091 if (k >= 64U) {
1092 *entity = NULL;
1093 *entity_len = 0;
1094 return;
1095 }
1096
1097 *entity = (const unsigned char *) table[k].data.ent.entity;
1098 *entity_len = table[k].data.ent.entity_len;
1099 }
1100 /* }}} */
1101
1102 /* {{{ php_escape_html_entities */
php_escape_html_entities_ex(const unsigned char * old,size_t oldlen,int all,int flags,const char * hint_charset,bool double_encode,bool quiet)1103 PHPAPI zend_string *php_escape_html_entities_ex(const unsigned char *old, size_t oldlen, int all, int flags, const char *hint_charset, bool double_encode, bool quiet)
1104 {
1105 size_t cursor, maxlen, len;
1106 zend_string *replaced;
1107 enum entity_charset charset = determine_charset(hint_charset, quiet);
1108 int doctype = flags & ENT_HTML_DOC_TYPE_MASK;
1109 entity_table_opt entity_table;
1110 const enc_to_uni *to_uni_table = NULL;
1111 const entity_ht *inv_map = NULL; /* used for !double_encode */
1112 /* only used if flags includes ENT_HTML_IGNORE_ERRORS or ENT_HTML_SUBSTITUTE_DISALLOWED_CHARS */
1113 const unsigned char *replacement = NULL;
1114 size_t replacement_len = 0;
1115
1116 if (all) { /* replace with all named entities */
1117 if (!quiet && CHARSET_PARTIAL_SUPPORT(charset)) {
1118 php_error_docref(NULL, E_NOTICE, "Only basic entities "
1119 "substitution is supported for multi-byte encodings other than UTF-8; "
1120 "functionality is equivalent to htmlspecialchars");
1121 }
1122 LIMIT_ALL(all, doctype, charset);
1123 }
1124 entity_table = determine_entity_table(all, doctype);
1125 if (all && !CHARSET_UNICODE_COMPAT(charset)) {
1126 to_uni_table = enc_to_uni_index[charset];
1127 }
1128
1129 if (!double_encode) {
1130 /* first arg is 1 because we want to identify valid named entities
1131 * even if we are only encoding the basic ones */
1132 inv_map = unescape_inverse_map(1, flags);
1133 }
1134
1135 if (flags & (ENT_HTML_SUBSTITUTE_ERRORS | ENT_HTML_SUBSTITUTE_DISALLOWED_CHARS)) {
1136 if (charset == cs_utf_8) {
1137 replacement = (const unsigned char*)"\xEF\xBF\xBD";
1138 replacement_len = sizeof("\xEF\xBF\xBD") - 1;
1139 } else {
1140 replacement = (const unsigned char*)"�";
1141 replacement_len = sizeof("�") - 1;
1142 }
1143 }
1144
1145 /* initial estimate */
1146 if (oldlen < 64) {
1147 maxlen = 128;
1148 } else {
1149 maxlen = zend_safe_addmult(oldlen, 2, 0, "html_entities");
1150 }
1151
1152 replaced = zend_string_alloc(maxlen, 0);
1153 len = 0;
1154 cursor = 0;
1155 while (cursor < oldlen) {
1156 const unsigned char *mbsequence = NULL;
1157 size_t mbseqlen = 0,
1158 cursor_before = cursor;
1159 zend_result status = SUCCESS;
1160 unsigned int this_char = get_next_char(charset, old, oldlen, &cursor, &status);
1161
1162 /* guarantee we have at least 40 bytes to write.
1163 * In HTML5, entities may take up to 33 bytes */
1164 if (len > maxlen - 40) { /* maxlen can never be smaller than 128 */
1165 replaced = zend_string_safe_realloc(replaced, maxlen, 1, 128, 0);
1166 maxlen += 128;
1167 }
1168
1169 if (status == FAILURE) {
1170 /* invalid MB sequence */
1171 if (flags & ENT_HTML_IGNORE_ERRORS) {
1172 continue;
1173 } else if (flags & ENT_HTML_SUBSTITUTE_ERRORS) {
1174 memcpy(&ZSTR_VAL(replaced)[len], replacement, replacement_len);
1175 len += replacement_len;
1176 continue;
1177 } else {
1178 zend_string_efree(replaced);
1179 return ZSTR_EMPTY_ALLOC();
1180 }
1181 } else { /* SUCCESS */
1182 mbsequence = &old[cursor_before];
1183 mbseqlen = cursor - cursor_before;
1184 }
1185
1186 if (this_char != '&') { /* no entity on this position */
1187 const unsigned char *rep = NULL;
1188 size_t rep_len = 0;
1189
1190 if (((this_char == '\'' && !(flags & ENT_HTML_QUOTE_SINGLE)) ||
1191 (this_char == '"' && !(flags & ENT_HTML_QUOTE_DOUBLE))))
1192 goto pass_char_through;
1193
1194 if (all) { /* false that CHARSET_PARTIAL_SUPPORT(charset) */
1195 if (to_uni_table != NULL) {
1196 /* !CHARSET_UNICODE_COMPAT therefore not UTF-8; since UTF-8
1197 * is the only multibyte encoding with !CHARSET_PARTIAL_SUPPORT,
1198 * we're using a single byte encoding */
1199 map_to_unicode(this_char, to_uni_table, &this_char);
1200 if (this_char == 0xFFFF) /* no mapping; pass through */
1201 goto pass_char_through;
1202 }
1203 /* the cursor may advance */
1204 find_entity_for_char(this_char, charset, entity_table.ms_table, &rep,
1205 &rep_len, old, oldlen, &cursor);
1206 } else {
1207 find_entity_for_char_basic(this_char, entity_table.table, &rep, &rep_len);
1208 }
1209
1210 if (rep != NULL) {
1211 ZSTR_VAL(replaced)[len++] = '&';
1212 memcpy(&ZSTR_VAL(replaced)[len], rep, rep_len);
1213 len += rep_len;
1214 ZSTR_VAL(replaced)[len++] = ';';
1215 } else {
1216 /* we did not find an entity for this char.
1217 * check for its validity, if its valid pass it unchanged */
1218 if (flags & ENT_HTML_SUBSTITUTE_DISALLOWED_CHARS) {
1219 if (CHARSET_UNICODE_COMPAT(charset)) {
1220 if (!unicode_cp_is_allowed(this_char, doctype)) {
1221 mbsequence = replacement;
1222 mbseqlen = replacement_len;
1223 }
1224 } else if (to_uni_table) {
1225 if (!all) /* otherwise we already did this */
1226 map_to_unicode(this_char, to_uni_table, &this_char);
1227 if (!unicode_cp_is_allowed(this_char, doctype)) {
1228 mbsequence = replacement;
1229 mbseqlen = replacement_len;
1230 }
1231 } else {
1232 /* not a unicode code point, unless, coincidentally, it's in
1233 * the 0x20..0x7D range (except 0x5C in sjis). We know nothing
1234 * about other code points, because we have no tables. Since
1235 * Unicode code points in that range are not disallowed in any
1236 * document type, we could do nothing. However, conversion
1237 * tables frequently map 0x00-0x1F to the respective C0 code
1238 * points. Let's play it safe and admit that's the case */
1239 if (this_char <= 0x7D &&
1240 !unicode_cp_is_allowed(this_char, doctype)) {
1241 mbsequence = replacement;
1242 mbseqlen = replacement_len;
1243 }
1244 }
1245 }
1246 pass_char_through:
1247 if (mbseqlen > 1) {
1248 memcpy(ZSTR_VAL(replaced) + len, mbsequence, mbseqlen);
1249 len += mbseqlen;
1250 } else {
1251 ZSTR_VAL(replaced)[len++] = mbsequence[0];
1252 }
1253 }
1254 } else { /* this_char == '&' */
1255 if (double_encode) {
1256 encode_amp:
1257 memcpy(&ZSTR_VAL(replaced)[len], "&", sizeof("&") - 1);
1258 len += sizeof("&") - 1;
1259 } else { /* no double encode */
1260 /* check if entity is valid */
1261 size_t ent_len; /* not counting & or ; */
1262 /* peek at next char */
1263 if (old[cursor] == '#') { /* numeric entity */
1264 unsigned code_point;
1265 int valid;
1266 char *pos = (char*)&old[cursor+1];
1267 valid = process_numeric_entity((const char **)&pos, &code_point);
1268 if (valid == FAILURE)
1269 goto encode_amp;
1270 if (flags & ENT_HTML_SUBSTITUTE_DISALLOWED_CHARS) {
1271 if (!numeric_entity_is_allowed(code_point, doctype))
1272 goto encode_amp;
1273 }
1274 ent_len = pos - (char*)&old[cursor];
1275 } else { /* named entity */
1276 /* check for vality of named entity */
1277 const char *start = (const char *) &old[cursor],
1278 *next = start;
1279 unsigned dummy1, dummy2;
1280
1281 if (process_named_entity_html(&next, &start, &ent_len) == FAILURE)
1282 goto encode_amp;
1283 if (resolve_named_entity_html(start, ent_len, inv_map, &dummy1, &dummy2) == FAILURE) {
1284 if (!(doctype == ENT_HTML_DOC_XHTML && ent_len == 4 && start[0] == 'a'
1285 && start[1] == 'p' && start[2] == 'o' && start[3] == 's')) {
1286 /* uses html4 inv_map, which doesn't include apos;. This is a
1287 * hack to support it */
1288 goto encode_amp;
1289 }
1290 }
1291 }
1292 /* checks passed; copy entity to result */
1293 /* entity size is unbounded, we may need more memory */
1294 /* at this point maxlen - len >= 40 */
1295 if (maxlen - len < ent_len + 2 /* & and ; */) {
1296 /* ent_len < oldlen, which is certainly <= SIZE_MAX/2 */
1297 replaced = zend_string_safe_realloc(replaced, maxlen, 1, ent_len + 128, 0);
1298 maxlen += ent_len + 128;
1299 }
1300 ZSTR_VAL(replaced)[len++] = '&';
1301 memcpy(&ZSTR_VAL(replaced)[len], &old[cursor], ent_len);
1302 len += ent_len;
1303 ZSTR_VAL(replaced)[len++] = ';';
1304 cursor += ent_len + 1;
1305 }
1306 }
1307 }
1308 ZSTR_VAL(replaced)[len] = '\0';
1309 ZSTR_LEN(replaced) = len;
1310
1311 return replaced;
1312 }
1313 /* }}} */
1314
1315 /* {{{ php_html_entities */
php_html_entities(INTERNAL_FUNCTION_PARAMETERS,int all)1316 static void php_html_entities(INTERNAL_FUNCTION_PARAMETERS, int all)
1317 {
1318 zend_string *str, *hint_charset = NULL;
1319 zend_long flags = ENT_QUOTES|ENT_SUBSTITUTE;
1320 zend_string *replaced;
1321 bool double_encode = 1;
1322
1323 ZEND_PARSE_PARAMETERS_START(1, 4)
1324 Z_PARAM_STR(str)
1325 Z_PARAM_OPTIONAL
1326 Z_PARAM_LONG(flags)
1327 Z_PARAM_STR_OR_NULL(hint_charset)
1328 Z_PARAM_BOOL(double_encode);
1329 ZEND_PARSE_PARAMETERS_END();
1330
1331 replaced = php_escape_html_entities_ex(
1332 (unsigned char*)ZSTR_VAL(str), ZSTR_LEN(str), all, (int) flags,
1333 hint_charset ? ZSTR_VAL(hint_charset) : NULL, double_encode, /* quiet */ 0);
1334 RETVAL_STR(replaced);
1335 }
1336 /* }}} */
1337
1338 /* {{{ Convert special characters to HTML entities */
PHP_FUNCTION(htmlspecialchars)1339 PHP_FUNCTION(htmlspecialchars)
1340 {
1341 php_html_entities(INTERNAL_FUNCTION_PARAM_PASSTHRU, 0);
1342 }
1343 /* }}} */
1344
1345 /* {{{ Convert special HTML entities back to characters */
PHP_FUNCTION(htmlspecialchars_decode)1346 PHP_FUNCTION(htmlspecialchars_decode)
1347 {
1348 zend_string *str;
1349 zend_long quote_style = ENT_QUOTES|ENT_SUBSTITUTE;
1350 zend_string *replaced;
1351
1352 ZEND_PARSE_PARAMETERS_START(1, 2)
1353 Z_PARAM_STR(str)
1354 Z_PARAM_OPTIONAL
1355 Z_PARAM_LONG(quote_style)
1356 ZEND_PARSE_PARAMETERS_END();
1357
1358 replaced = php_unescape_html_entities(str, 0 /*!all*/, (int)quote_style, NULL);
1359 RETURN_STR(replaced);
1360 }
1361 /* }}} */
1362
1363 /* {{{ Convert all HTML entities to their applicable characters */
PHP_FUNCTION(html_entity_decode)1364 PHP_FUNCTION(html_entity_decode)
1365 {
1366 zend_string *str, *hint_charset = NULL;
1367 zend_long quote_style = ENT_QUOTES|ENT_SUBSTITUTE;
1368 zend_string *replaced;
1369
1370 ZEND_PARSE_PARAMETERS_START(1, 3)
1371 Z_PARAM_STR(str)
1372 Z_PARAM_OPTIONAL
1373 Z_PARAM_LONG(quote_style)
1374 Z_PARAM_STR_OR_NULL(hint_charset)
1375 ZEND_PARSE_PARAMETERS_END();
1376
1377 replaced = php_unescape_html_entities(
1378 str, 1 /*all*/, (int)quote_style, hint_charset ? ZSTR_VAL(hint_charset) : NULL);
1379 RETURN_STR(replaced);
1380 }
1381 /* }}} */
1382
1383
1384 /* {{{ Convert all applicable characters to HTML entities */
PHP_FUNCTION(htmlentities)1385 PHP_FUNCTION(htmlentities)
1386 {
1387 php_html_entities(INTERNAL_FUNCTION_PARAM_PASSTHRU, 1);
1388 }
1389 /* }}} */
1390
1391 /* {{{ write_s3row_data */
write_s3row_data(const entity_stage3_row * r,unsigned orig_cp,enum entity_charset charset,zval * arr)1392 static inline void write_s3row_data(
1393 const entity_stage3_row *r,
1394 unsigned orig_cp,
1395 enum entity_charset charset,
1396 zval *arr)
1397 {
1398 char key[9] = ""; /* two unicode code points in UTF-8 */
1399 char entity[LONGEST_ENTITY_LENGTH + 2] = {'&'};
1400 size_t written_k1;
1401
1402 written_k1 = write_octet_sequence((unsigned char*)key, charset, orig_cp);
1403
1404 if (!r->ambiguous) {
1405 size_t l = r->data.ent.entity_len;
1406 memcpy(&entity[1], r->data.ent.entity, l);
1407 entity[l + 1] = ';';
1408 add_assoc_stringl_ex(arr, key, written_k1, entity, l + 2);
1409 } else {
1410 unsigned i,
1411 num_entries;
1412 const entity_multicodepoint_row *mcpr = r->data.multicodepoint_table;
1413
1414 if (mcpr[0].leading_entry.default_entity != NULL) {
1415 size_t l = mcpr[0].leading_entry.default_entity_len;
1416 memcpy(&entity[1], mcpr[0].leading_entry.default_entity, l);
1417 entity[l + 1] = ';';
1418 add_assoc_stringl_ex(arr, key, written_k1, entity, l + 2);
1419 }
1420 num_entries = mcpr[0].leading_entry.size;
1421 for (i = 1; i <= num_entries; i++) {
1422 size_t l,
1423 written_k2;
1424 unsigned uni_cp,
1425 spe_cp;
1426
1427 uni_cp = mcpr[i].normal_entry.second_cp;
1428 l = mcpr[i].normal_entry.entity_len;
1429
1430 if (!CHARSET_UNICODE_COMPAT(charset)) {
1431 if (map_from_unicode(uni_cp, charset, &spe_cp) == FAILURE)
1432 continue; /* non representable in this charset */
1433 } else {
1434 spe_cp = uni_cp;
1435 }
1436
1437 written_k2 = write_octet_sequence((unsigned char*)&key[written_k1], charset, spe_cp);
1438 memcpy(&entity[1], mcpr[i].normal_entry.entity, l);
1439 entity[l + 1] = ';';
1440 add_assoc_stringl_ex(arr, key, written_k1 + written_k2, entity, l + 2);
1441 }
1442 }
1443 }
1444 /* }}} */
1445
1446 /* {{{ Returns the internal translation table used by htmlspecialchars and htmlentities */
PHP_FUNCTION(get_html_translation_table)1447 PHP_FUNCTION(get_html_translation_table)
1448 {
1449 zend_long all = PHP_HTML_SPECIALCHARS,
1450 flags = ENT_QUOTES|ENT_SUBSTITUTE;
1451 int doctype;
1452 entity_table_opt entity_table;
1453 const enc_to_uni *to_uni_table = NULL;
1454 char *charset_hint = NULL;
1455 size_t charset_hint_len;
1456 enum entity_charset charset;
1457
1458 /* in this function we have to jump through some loops because we're
1459 * getting the translated table from data structures that are optimized for
1460 * random access, not traversal */
1461
1462 ZEND_PARSE_PARAMETERS_START(0, 3)
1463 Z_PARAM_OPTIONAL
1464 Z_PARAM_LONG(all)
1465 Z_PARAM_LONG(flags)
1466 Z_PARAM_STRING(charset_hint, charset_hint_len)
1467 ZEND_PARSE_PARAMETERS_END();
1468
1469 charset = determine_charset(charset_hint, /* quiet */ 0);
1470 doctype = flags & ENT_HTML_DOC_TYPE_MASK;
1471 LIMIT_ALL(all, doctype, charset);
1472
1473 array_init(return_value);
1474
1475 entity_table = determine_entity_table((int)all, doctype);
1476 if (all && !CHARSET_UNICODE_COMPAT(charset)) {
1477 to_uni_table = enc_to_uni_index[charset];
1478 }
1479
1480 if (all) { /* PHP_HTML_ENTITIES (actually, any non-zero value for 1st param) */
1481 const entity_stage1_row *ms_table = entity_table.ms_table;
1482
1483 if (CHARSET_UNICODE_COMPAT(charset)) {
1484 unsigned i, j, k,
1485 max_i, max_j, max_k;
1486 /* no mapping to unicode required */
1487 if (CHARSET_SINGLE_BYTE(charset)) { /* ISO-8859-1 */
1488 max_i = 1; max_j = 4; max_k = 64;
1489 } else {
1490 max_i = 0x1E; max_j = 64; max_k = 64;
1491 }
1492
1493 for (i = 0; i < max_i; i++) {
1494 if (ms_table[i] == empty_stage2_table)
1495 continue;
1496 for (j = 0; j < max_j; j++) {
1497 if (ms_table[i][j] == empty_stage3_table)
1498 continue;
1499 for (k = 0; k < max_k; k++) {
1500 const entity_stage3_row *r = &ms_table[i][j][k];
1501 unsigned code;
1502
1503 if (r->data.ent.entity == NULL)
1504 continue;
1505
1506 code = ENT_CODE_POINT_FROM_STAGES(i, j, k);
1507 if (((code == '\'' && !(flags & ENT_HTML_QUOTE_SINGLE)) ||
1508 (code == '"' && !(flags & ENT_HTML_QUOTE_DOUBLE))))
1509 continue;
1510 write_s3row_data(r, code, charset, return_value);
1511 }
1512 }
1513 }
1514 } else {
1515 /* we have to iterate through the set of code points for this
1516 * encoding and map them to unicode code points */
1517 unsigned i;
1518 for (i = 0; i <= 0xFF; i++) {
1519 const entity_stage3_row *r;
1520 unsigned uni_cp;
1521
1522 /* can be done before mapping, they're invariant */
1523 if (((i == '\'' && !(flags & ENT_HTML_QUOTE_SINGLE)) ||
1524 (i == '"' && !(flags & ENT_HTML_QUOTE_DOUBLE))))
1525 continue;
1526
1527 map_to_unicode(i, to_uni_table, &uni_cp);
1528 r = &ms_table[ENT_STAGE1_INDEX(uni_cp)][ENT_STAGE2_INDEX(uni_cp)][ENT_STAGE3_INDEX(uni_cp)];
1529 if (r->data.ent.entity == NULL)
1530 continue;
1531
1532 write_s3row_data(r, i, charset, return_value);
1533 }
1534 }
1535 } else {
1536 /* we could use sizeof(stage3_table_be_apos_00000) as well */
1537 unsigned j,
1538 numelems = sizeof(stage3_table_be_noapos_00000) /
1539 sizeof(*stage3_table_be_noapos_00000);
1540
1541 for (j = 0; j < numelems; j++) {
1542 const entity_stage3_row *r = &entity_table.table[j];
1543 if (r->data.ent.entity == NULL)
1544 continue;
1545
1546 if (((j == '\'' && !(flags & ENT_HTML_QUOTE_SINGLE)) ||
1547 (j == '"' && !(flags & ENT_HTML_QUOTE_DOUBLE))))
1548 continue;
1549
1550 /* charset is indifferent, used cs_8859_1 for efficiency */
1551 write_s3row_data(r, j, cs_8859_1, return_value);
1552 }
1553 }
1554 }
1555 /* }}} */
1556
