UI Tag Input: 45126 remove encoding as it is...

lukastocker · lukastocker · commit 88af2112d734 · 2025-05-21T11:01:23.000+02:00
...already encoded through the Tag Input code. Else the code is encoded incorrectly. Also strip tags to prevent e.g. JavaScript injections. https://mantis.ilias.de/view.php?id=45126
diff --git a/src/UI/Implementation/Component/Input/Field/Renderer.php b/src/UI/Implementation/Component/Input/Field/Renderer.php
@@ -373,7 +373,7 @@ protected function renderTagField(F\Tag $component): string
         if ($value) {
             $value = array_map(
                 function ($v) {
-                    return ['value' => urlencode($this->convertSpecialCharacters($v)), 'display' => $v];
+                    return ['value' => urlencode($v), 'display' => $v];
                 },
                 $value
             );
diff --git a/src/UI/Implementation/Component/Input/Field/Tag.php b/src/UI/Implementation/Component/Input/Field/Tag.php
@@ -75,7 +75,8 @@ protected function addAdditionalTransformations(): void
             if (count($v) == 1 && $v[0] === '') {
                 return [];
             }
-            return array_map("urldecode", $v);
+            $array = array_map("urldecode", $v);
+            return array_map('strip_tags', $array);
         }));
     }
 

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,8 @@ protected function addAdditionalTransformations(): void`
`75`	`75`	`if (count($v) == 1 && $v[0] === '') {`
`76`	`76`	`return [];`
`77`	`77`	`}`
`78`		`- return array_map("urldecode", $v);`
	`78`	`+ $array = array_map("urldecode", $v);`
	`79`	`+ return array_map('strip_tags', $array);`
`79`	`80`	`}));`
`80`	`81`	`}`
`81`	`82`