[BUGFIX] Strip tags only from strings in ArrayUtility::stripTagsFromValuesRecursive 00/58900/8
authorWolfgang Klinger <wolfgang@wazum.com>
Thu, 15 Nov 2018 16:45:15 +0000 (17:45 +0100)
committerGeorg Ringerstrong style="color:red"x/strong <georg.ringer@gmail.com>
Mon, 19 Nov 2018 10:29:36 +0000 (11:29 +0100)
Prevent an implicit type cast to string through strip_tags.
Ignore any scalar values other than string,
but preserve the possibility of an object's __toString conversion.

Resolves: #86938
Releases: master, 8.7
Change-Id: I27cb7834dc9e838f60f0d1bda94ab2c4e4011043
Reviewed-on: https://review.typo3.org/58900
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Georg Ringer<strong style="color:red">x</strong> <georg.ringer@gmail.com>
Tested-by: Georg Ringer<strong style="color:red">x</strong> <georg.ringer@gmail.com>
typo3/sysext/core/Classes/Utility/ArrayUtility.php
typo3/sysext/core/Tests/Unit/Utility/ArrayUtilityTest.php

index 1f28fb1..165bc61 100644 (file)
@@ -827,10 +827,8 @@ class ArrayUtility
         foreach ($result as $key => $value) {
             if (is_array($value)) {
                 $result[$key] = self::stripTagsFromValuesRecursive($value);
-            } else {
-                if (!is_bool($value)) {
-                    $result[$key] = strip_tags($value);
-                }
+            } elseif (is_string($value) || (is_object($value) && method_exists($value, '__toString'))) {
+                $result[$key] = strip_tags($value);
             }
         }
         return $result;
index c087c6a..275111c 100644 (file)
@@ -2712,6 +2712,42 @@ class ArrayUtilityTest extends UnitTestCase
     /**
      * @test
      */
+    public function stripTagsFromValuesRecursiveExpectNoTypeCast()
+    {
+        $testObject = new \stdClass();
+
+        $input = [
+            'stringWithTags' => '<b>i am evil</b>',
+            'boolean' => true,
+            'integer' => 1,
+            'float' => 1.9,
+            'object' => $testObject,
+            'objectWithStringConversion' => new class {
+                /**
+                 * @return string
+                 */
+                public function __toString()
+                {
+                    return 'i am evil <b>too</b>';
+                }
+            },
+        ];
+
+        $expected = [
+            'stringWithTags' => 'i am evil',
+            'boolean' => true,
+            'integer' => 1,
+            'float' => 1.9,
+            'object' => $testObject,
+            'objectWithStringConversion' => 'i am evil too',
+        ];
+
+        $this->assertSame($expected, ArrayUtility::stripTagsFromValuesRecursive($input));
+    }
+
+    /**
+     * @test
+     */
     public function convertBooleanStringsToBooleanRecursiveExpectConverting()
     {
         $input = [