PropertyString: decode HTML entities appropriately. (#4321)

demiankatz · web-flow · commit 1618b8331a63 · 2025-04-01T17:19:54.000-04:00
diff --git a/module/VuFind/src/VuFind/String/PropertyString.php b/module/VuFind/src/VuFind/String/PropertyString.php
@@ -66,7 +66,8 @@ public function __construct(protected string $string, protected array $propertie
      */
     public static function fromHtml(string $html, array $properties = []): PropertyString
     {
-        return (new PropertyString(strip_tags($html), $properties))->setHtml($html);
+        $decodedHtml = html_entity_decode(strip_tags($html));
+        return (new PropertyString($decodedHtml, $properties))->setHtml($html);
     }
 
     /**
diff --git a/module/VuFind/tests/unit-tests/src/VuFindTest/String/PropertyStringTest.php b/module/VuFind/tests/unit-tests/src/VuFindTest/String/PropertyStringTest.php
@@ -114,6 +114,13 @@ public static function fromHtmlProvider(): array
                 '<strong>HTML</strong> string',
                 ['__html' => '<strong>HTML</strong> string'],
             ],
+            'HTML string containing entities' => [
+                '<i>Dungeons &amp; Dragons</i>',
+                [],
+                'Dungeons & Dragons',
+                '<i>Dungeons &amp; Dragons</i>',
+                ['__html' => '<i>Dungeons &amp; Dragons</i>'],
+            ],
         ];
     }
 
diff --git a/module/VuFind/tests/unit-tests/src/VuFindTest/View/Helper/Root/EscapeOrCleanHtmlTest.php b/module/VuFind/tests/unit-tests/src/VuFindTest/View/Helper/Root/EscapeOrCleanHtmlTest.php
@@ -56,6 +56,7 @@ public static function escapeOrCleanHtmlProvider(): array
     {
         $link = '<a href="https://vufind.org/">VuFind</a>';
         $div = '<div>Div</div>';
+        $dnd = '<i>Dungeons &amp; Dragons</i>';
         return [
             'plain string' => ['plain string', null, null, 'default', [], 'plain string'],
             'link' => [$link, null, null, 'default', [], htmlentities($link)],
@@ -75,6 +76,9 @@ public static function escapeOrCleanHtmlProvider(): array
             'div as PropertyString, allow HTML, rendered in heading' => [
                 PropertyString::fromHtml($div), null, true, 'heading', [], 'Div',
             ],
+            'HTML containing entity, disallow HTML' => [
+                PropertyString::fromHtml($dnd), null, false, 'heading', [], 'Dungeons &amp; Dragons',
+            ],
         ];
     }
 

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,8 @@ public function __construct(protected string $string, protected array $propertie`
`66`	`66`	`*/`
`67`	`67`	`public static function fromHtml(string $html, array $properties = []): PropertyString`
`68`	`68`	`{`
`69`		`- return (new PropertyString(strip_tags($html), $properties))->setHtml($html);`
	`69`	`+ $decodedHtml = html_entity_decode(strip_tags($html));`
	`70`	`+ return (new PropertyString($decodedHtml, $properties))->setHtml($html);`
`70`	`71`	`}`
`71`	`72`
`72`	`73`	`/**`