[BUGFIX] Strip tags only from strings in ArrayUtility::stripTagsFromValuesRecursive 14/58914/2
authorWolfgang Klinger <wolfgang@wazum.com>
Thu, 15 Nov 2018 16:45:15 +0000 (17:45 +0100)
committerGeorg Ringer <georg.ringer@gmail.com>
Mon, 19 Nov 2018 11:50:48 +0000 (12:50 +0100)
Prevent an implicit type cast to string through strip_tags.
Ignore any scalar values other than string,
but preserve the possibility of an object's __toString conversion.

Resolves: #86938
Releases: master, 8.7
Change-Id: I27cb7834dc9e838f60f0d1bda94ab2c4e4011043
Reviewed-on: https://review.typo3.org/58914
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
typo3/sysext/core/Classes/Utility/ArrayUtility.php
typo3/sysext/core/Tests/Unit/Utility/ArrayUtilityTest.php

index bf6f46d..1672892 100644 (file)
@@ -859,10 +859,8 @@ class ArrayUtility
         foreach ($result as $key => $value) {
             if (is_array($value)) {
                 $result[$key] = self::stripTagsFromValuesRecursive($value);
-            } else {
-                if (!is_bool($value)) {
-                    $result[$key] = strip_tags($value);
-                }
+            } elseif (is_string($value) || (is_object($value) && method_exists($value, '__toString'))) {
+                $result[$key] = strip_tags($value);
             }
         }
         return $result;
index 91d002a..1ed7bdb 100644 (file)
@@ -2701,6 +2701,42 @@ class ArrayUtilityTest extends \TYPO3\TestingFramework\Core\Unit\UnitTestCase
     /**
      * @test
      */
+    public function stripTagsFromValuesRecursiveExpectNoTypeCast()
+    {
+        $testObject = new \stdClass();
+
+        $input = [
+            'stringWithTags' => '<b>i am evil</b>',
+            'boolean' => true,
+            'integer' => 1,
+            'float' => 1.9,
+            'object' => $testObject,
+            'objectWithStringConversion' => new class {
+                /**
+                 * @return string
+                 */
+                public function __toString()
+                {
+                    return 'i am evil <b>too</b>';
+                }
+            },
+        ];
+
+        $expected = [
+            'stringWithTags' => 'i am evil',
+            'boolean' => true,
+            'integer' => 1,
+            'float' => 1.9,
+            'object' => $testObject,
+            'objectWithStringConversion' => 'i am evil too',
+        ];
+
+        $this->assertSame($expected, ArrayUtility::stripTagsFromValuesRecursive($input));
+    }
+
+    /**
+     * @test
+     */
     public function convertBooleanStringsToBooleanRecursiveExpectConverting()
     {
         $input = [