From 78c0350b3b7fc025ba565e19bfa195b68e95bb88 Mon Sep 17 00:00:00 2001
From: Laria Carolin Chabowski <laria@laria.me>
Date: Fri, 25 Sep 2020 21:24:01 +0200
Subject: Deprecate htmlesc for Esc::esc

"Stole" this class from another project of mine (micropoly)
---
 ratatoeskr/backend.php         | 14 ++++++++------
 ratatoeskr/frontend.php        | 32 +++++++++++++++++---------------
 ratatoeskr/sys/Esc.php         | 22 ++++++++++++++++++++++
 ratatoeskr/sys/translation.php |  4 +++-
 ratatoeskr/sys/utils.php       | 18 +++++++++---------
 5 files changed, 59 insertions(+), 31 deletions(-)
 create mode 100644 ratatoeskr/sys/Esc.php

diff --git a/ratatoeskr/backend.php b/ratatoeskr/backend.php
index c050922..df1ea5b 100644
--- a/ratatoeskr/backend.php
+++ b/ratatoeskr/backend.php
@@ -9,6 +9,8 @@
  * See "ratatoeskr/licenses/ratatoeskr" for more information.
  */
 
+use r7r\cms\sys\Esc;
+
 require_once(dirname(__FILE__) . "/sys/models.php");
 require_once(dirname(__FILE__) . "/sys/pwhash.php");
 require_once(dirname(__FILE__) . "/sys/textprocessors.php");
@@ -269,7 +271,7 @@ function build_backend_subactions()
                                 call_user_func($cb, $article);
                             }
                             $ste->vars["article_editurl"] = urlencode($article->urlname) . "/" . urlencode($editlang);
-                            $ste->vars["success"] = htmlesc($translation["article_save_success"]);
+                            $ste->vars["success"] = Esc::esc($translation["article_save_success"]);
                         } catch (AlreadyExistsError $e) {
                             $fail_reasons[] = $translation["article_name_already_in_use"];
                         }
@@ -305,7 +307,7 @@ function build_backend_subactions()
                                 call_user_func($cb, $article);
                             }
                             $ste->vars["article_editurl"] = urlencode($article->urlname) . "/" . urlencode($editlang);
-                            $ste->vars["success"] = htmlesc($translation["article_save_success"]);
+                            $ste->vars["success"] = Esc::esc($translation["article_save_success"]);
                         } catch (AlreadyExistsError $e) {
                             $fail_reasons[] = $translation["article_name_already_in_use"];
                         }
@@ -700,9 +702,9 @@ function build_backend_subactions()
                             if ($imageaction == "markdown") {
                                 $ste->vars["embed_code"] = "![" . str_replace("]", "\\]", $_POST["img_alt"]) . "](%root%/images/" . str_replace(")", "\\)", urlencode($image->get_filename())) . ")";
                             } elseif ($imageaction == "html") {
-                                $ste->vars["embed_code"] = "<img src=\"%root%/images/" . htmlesc(urlencode($image->get_filename())) . "\" alt=\"" . htmlesc($_POST["img_alt"]) . "\" />";
+                                $ste->vars["embed_code"] = "<img src=\"%root%/images/" . Esc::esc(urlencode($image->get_filename())) . "\" alt=\"" . Esc::esc($_POST["img_alt"]) . "\" />";
                             } elseif ($imageaction == "ste") {
-                                $ste->vars["embed_code"] = "<img src=\"\$rel_path_to_root/images/" . htmlesc(urlencode($image->get_filename())) . "\" alt=\"" . htmlesc($_POST["img_alt"]) . "\" />";
+                                $ste->vars["embed_code"] = "<img src=\"\$rel_path_to_root/images/" . Esc::esc(urlencode($image->get_filename())) . "\" alt=\"" . Esc::esc($_POST["img_alt"]) . "\" />";
                             }
                         }
 
@@ -1617,7 +1619,7 @@ function build_backend_subactions()
                 $ste->vars["success"] = $translation[$newstatus ? "plugins_activated" : "plugins_deactivated"];
 
                 if (!empty($api_incompat)) {
-                    $ste->vars["error"] = htmlesc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["could_not_activate_plugin_api_incompat"]));
+                    $ste->vars["error"] = Esc::esc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["could_not_activate_plugin_api_incompat"]));
                 }
             }
 
@@ -1679,7 +1681,7 @@ function build_backend_subactions()
             }
 
             if (!empty($api_incompat)) {
-                $ste->vars["notice"] = htmlesc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["plugins_incompat"]));
+                $ste->vars["notice"] = Esc::esc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["plugins_incompat"]));
             }
 
             echo $ste->exectemplate("/systemtemplates/pluginlist.html");
diff --git a/ratatoeskr/frontend.php b/ratatoeskr/frontend.php
index 473ed8a..eb62378 100644
--- a/ratatoeskr/frontend.php
+++ b/ratatoeskr/frontend.php
@@ -9,6 +9,8 @@
  * See "ratatoeskr/licenses/ratatoeskr" for more information.
  */
 
+use r7r\cms\sys\Esc;
+
 require_once(dirname(__FILE__) . "/sys/utils.php");
 require_once(dirname(__FILE__) . "/languages.php");
 require_once(dirname(__FILE__) . "/sys/models.php");
@@ -110,8 +112,8 @@ function article_transform_ste($article, $lang)
     return [
         "id"               => $article->get_id(),
         "urlname"          => $article->urlname,
-        "fullurl"          => htmlesc("$rel_path_to_root/$lang/{$a_section->name}/{$article->urlname}"),
-        "title"            => htmlesc($article->title[$lang]->text),
+        "fullurl"          => Esc::esc("$rel_path_to_root/$lang/{$a_section->name}/{$article->urlname}"),
+        "title"            => Esc::esc($article->title[$lang]->text),
         "text"             => textprocessor_apply(str_replace("%root%", $rel_path_to_root, $article->text[$lang]->text), $article->text[$lang]->texttype),
         "excerpt"          => textprocessor_apply(str_replace("%root%", $rel_path_to_root, $article->excerpt[$lang]->text), $article->excerpt[$lang]->texttype),
         "custom"           => $article->custom,
@@ -146,7 +148,7 @@ function comment_transform_ste($comment)
     return [
         "id"        => $comment->get_id(),
         "text"      => $comment->create_html(),
-        "author"    => htmlesc($comment->author_name),
+        "author"    => Esc::esc($comment->author_name),
         "timestamp" => $comment->get_timestamp(),
         "__obj"     => $comment
     ];
@@ -449,9 +451,9 @@ $ste->register_tag("comment_form", function ($ste, $params, $sub) {
     $previewbtn = $ste->evalbool(@$params["previewbtn"]) ? " <input type=\"submit\" name=\"preview_comment\" value=\"{$translation["comment_form_preview"]}\" />" : "";
 
     if ($ste->evalbool(@$params["default"])) {
-        $form_body = "<p>{$translation["comment_form_name"]}: <input type=\"text\" name=\"author_name\" value=\"" . htmlesc(@$_POST["author_name"]) . "\" /></p>
-<p>{$translation["comment_form_mail"]}: <input type=\"text\" name=\"author_mail\" value=\"" . htmlesc(@$_POST["author_mail"]) . "\" /></p>
-<p>{$translation["comment_form_text"]}:<br /><textarea name=\"comment_text\" cols=\"50\" rows=\"10\">" . htmlesc(@$_POST["comment_text"]) . "</textarea></p>
+        $form_body = "<p>{$translation["comment_form_name"]}: <input type=\"text\" name=\"author_name\" value=\"" . Esc::esc(@$_POST["author_name"]) . "\" /></p>
+<p>{$translation["comment_form_mail"]}: <input type=\"text\" name=\"author_mail\" value=\"" . Esc::esc(@$_POST["author_mail"]) . "\" /></p>
+<p>{$translation["comment_form_text"]}:<br /><textarea name=\"comment_text\" cols=\"50\" rows=\"10\">" . Esc::esc(@$_POST["comment_text"]) . "</textarea></p>
 <p><input type=\"submit\" name=\"post_comment\" value=\"{$translation["comment_form_submit"]}\" />$previewbtn</p>";
     } else {
         $ste->vars["current"]["oldcomment"] = [
@@ -501,7 +503,7 @@ $ste->register_tag("page_prev", function ($ste, $params, $sub) {
     parse_str(parse_url($_SERVER["REQUEST_URI"], PHP_URL_QUERY), $query);
     $query["page"] = $params["current"] - 1;
     $url = $_SERVER["REDIRECT_URL"] . "?" . http_build_query($query);
-    return "<a href=\"" . htmlesc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_prev"] : $sub($ste)) . "</a>";
+    return "<a href=\"" . Esc::esc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_prev"] : $sub($ste)) . "</a>";
 });
 
 $ste->register_tag("page_next", function ($ste, $params, $sub) {
@@ -520,7 +522,7 @@ $ste->register_tag("page_next", function ($ste, $params, $sub) {
     parse_str(parse_url($_SERVER["REQUEST_URI"], PHP_URL_QUERY), $query);
     $query["page"] = $params["current"] + 1;
     $url = $_SERVER["REDIRECT_URL"] . "?" . http_build_query($query);
-    return "<a href=\"" . htmlesc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_next"] : $sub($ste)) . "</a>";
+    return "<a href=\"" . Esc::esc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_next"] : $sub($ste)) . "</a>";
 });
 
 /*
@@ -571,8 +573,8 @@ $ste->register_tag("languages", function ($ste, $params, $sub) {
     foreach ($langs as $lang) {
         $ste->set_var_by_name($params["var"], [
             "short"    => $lang,
-            "fullname" => htmlesc($languages[$lang]["language"]),
-            "url"      => htmlesc("$rel_path_to_root/$lang/" . implode("/", array_slice($ste->vars["current"]["url_fragments"], 1)))
+            "fullname" => Esc::esc($languages[$lang]["language"]),
+            "url"      => Esc::esc("$rel_path_to_root/$lang/" . implode("/", array_slice($ste->vars["current"]["url_fragments"], 1)))
         ]);
         $output .= $sub($ste);
     }
@@ -613,11 +615,11 @@ $ste->register_tag("styles_load", function ($ste, $params, $sub) {
                 }
             }
         }
-        $output = "<style type=\"text/css\">\n" . htmlesc($output) . "</style>";
+        $output = "<style type=\"text/css\">\n" . Esc::esc($output) . "</style>";
     } else {
         $output = "";
         foreach ($ste->vars["current"]["styles"] as $stylename) {
-            $output .= "<link rel=\"stylesheet\" type=\"text/css\" href=\"$rel_path_to_root/css.php?name=" . htmlesc($stylename) . "\" />\n";
+            $output .= "<link rel=\"stylesheet\" type=\"text/css\" href=\"$rel_path_to_root/css.php?name=" . Esc::esc($stylename) . "\" />\n";
         }
     }
     return $output;
@@ -636,10 +638,10 @@ $ste->register_tag("styles_load", function ($ste, $params, $sub) {
 $ste->register_tag("title", function ($ste, $params, $sub) {
     $pagetitle = $sub($ste);
     if (isset($ste->vars["current"]["article"])) {
-        return "<title>" . htmlesc($ste->vars["current"]["article"]["title"]) . " – $pagetitle" . "</title>";
+        return "<title>" . Esc::esc($ste->vars["current"]["article"]["title"]) . " – $pagetitle" . "</title>";
     }
     if (isset($ste->vars["current"]["section"])) {
-        return "<title>" . htmlesc($ste->vars["current"]["section"]["title"]) . " – $pagetitle" . "</title>";
+        return "<title>" . Esc::esc($ste->vars["current"]["section"]["title"]) . " – $pagetitle" . "</title>";
     }
     return "<title>$pagetitle</title>";
 });
@@ -811,7 +813,7 @@ function frontend_url_handler(&$data, $url_now, &$url_next)
                             call_user_func($validator);
                         }
                     } catch (CommentRejected $e) {
-                        $ste->vars["current"]["comment_fail"] = htmlesc($e->getMessage());
+                        $ste->vars["current"]["comment_fail"] = Esc::esc($e->getMessage());
                         $rejected = true;
                     }
                     if (!$rejected) {
diff --git a/ratatoeskr/sys/Esc.php b/ratatoeskr/sys/Esc.php
new file mode 100644
index 0000000..eaefc10
--- /dev/null
+++ b/ratatoeskr/sys/Esc.php
@@ -0,0 +1,22 @@
+<?php
+
+
+namespace r7r\cms\sys;
+
+class Esc
+{
+    public const HTML = 1;
+    public const NL2BR = 2;
+    public const HTML_WITH_BR = self::HTML | self::NL2BR;
+
+    public static function esc(string $s, int $flags = self::HTML): string
+    {
+        if ($flags & self::HTML) {
+            $s = htmlspecialchars($s, ENT_QUOTES, "UTF-8");
+        }
+        if ($flags & self::NL2BR) {
+            $s = nl2br($s);
+        }
+        return $s;
+    }
+}
diff --git a/ratatoeskr/sys/translation.php b/ratatoeskr/sys/translation.php
index fd494c1..0679ca7 100644
--- a/ratatoeskr/sys/translation.php
+++ b/ratatoeskr/sys/translation.php
@@ -9,6 +9,8 @@
  * See "ratatoeskr/licenses/ratatoeskr" for more information.
  */
 
+use r7r\cms\sys\Esc;
+
 require_once(dirname(__FILE__) . "/utils.php");
 require_once(dirname(__FILE__) . "/init_ste.php");
 
@@ -28,7 +30,7 @@ if (!defined("TRANSLATION_PLUGIN_LOADED")) {
                 return "";
             }
             $rv = $translation[$params["for"]];
-            return (!empty($params["raw"])) ? $rv : htmlesc($rv);
+            return (!empty($params["raw"])) ? $rv : Esc::esc($rv);
         }
     );
     define("TRANSLATION_PLUGIN_LOADED", true);
diff --git a/ratatoeskr/sys/utils.php b/ratatoeskr/sys/utils.php
index a285bcd..8a848eb 100644
--- a/ratatoeskr/sys/utils.php
+++ b/ratatoeskr/sys/utils.php
@@ -22,6 +22,9 @@
  *
  *  An array with $val $n-times repeated.
  */
+
+use r7r\cms\sys\Esc;
+
 function array_repeat($val, $n)
 {
     $rv = [];
@@ -40,19 +43,16 @@ function intcmp($a, $b)
     return ($a == $b) ? 0 : (($a < $b) ? -1 : 1);
 }
 
-/*
- * Function: htmlesc
+/**
  * Escape HTML (shorter than htmlspecialchars)
  *
- * Parameters:
- *  $text - Input text.
- *
- * Returns:
- *  HTML
+ * @param mixed $text Input text
+ * @return string HTML
+ * @deprecated Use {@see Esc::esc()} instead.
  */
-function htmlesc($text)
+function htmlesc($text): string
 {
-    return htmlspecialchars($text, ENT_QUOTES, "UTF-8");
+    return Esc::esc($text);
 }
 
 /*
-- 
cgit v1.2.3-54-g00ecf