MINO Switching 'rewriteHashlinks' sanitization from Convert::raw2att() to strip_tags() to make the resulting PHP more portable when mode is set to 'php'

core/SSViewer.php

@@ -439,10 +439,9 @@ class SSViewer {
 		if($this->rewriteHashlinks && self::$options['rewriteHashlinks']) {
 			if(strpos($output, '<base') !== false) {
 				if(SSViewer::$options['rewriteHashlinks'] === 'php') { 
-					// Emulate Convert::raw2att() without adding this dependency
-					$thisURLRelativeToBase = "<?php echo str_replace(array('&','\"',\"'\",'<','>'), array('&amp;','&quot;','&#39;','&lt;','&gt;'), \$_SERVER['REQUEST_URI']); ?>"; 
+					$thisURLRelativeToBase = "<?php echo strip_tags(\$_SERVER['REQUEST_URI']); ?>"; 
 				} else { 
-					$thisURLRelativeToBase = Convert::raw2att($_SERVER['REQUEST_URI']); 
+					$thisURLRelativeToBase = strip_tags($_SERVER['REQUEST_URI']); 
 				}
 				$output = preg_replace('/(<a[^>]+href *= *)"#/i', '\\1"' . $thisURLRelativeToBase . '#', $output);
 			}
@@ -607,7 +606,7 @@ class SSViewer {
 		$content = ereg_replace('<!-- +if_end +-->', '<? }  ?>', $content);
 			
 		// Fix link stuff
-		$content = ereg_replace('href *= *"#', 'href="<?= SSViewer::$options[\'rewriteHashlinks\'] ? Convert::raw2att( $_SERVER[\'REQUEST_URI\'] ) : "" ?>#', $content);
+		$content = ereg_replace('href *= *"#', 'href="<?= SSViewer::$options[\'rewriteHashlinks\'] ? strip_tags( $_SERVER[\'REQUEST_URI\'] ) : "" ?>#', $content);
 	
 		// Protect xml header
 		$content = ereg_replace('<\?xml([^>]+)\?' . '>', '<##xml\\1##>', $content);

tests/SSViewerTest.php

@@ -193,7 +193,7 @@ SS
 		$obj->InsertedLink = '<a class="inserted" href="#anchor">InsertedLink</a>';
 		$result = $tmpl->process($obj);
 		$this->assertContains(
-			'<a class="inserted" href="<?php echo str_replace(',
+			'<a class="inserted" href="<?php echo strip_tags(',
 			$result
 		);
 		// TODO Fix inline links in PHP mode