From 336f3e5a628d9f915da7832651eeb516856a6ba0 Mon Sep 17 00:00:00 2001
From: Matthias Pfefferle <pfefferle@users.noreply.github.com>
Date: Mon, 2 Oct 2023 17:11:56 +0200
Subject: [PATCH] Fix various encoding issues (#477)

* fix html-entity issue in username

* remove kses

let other platforms decide what to allow and what not

* Remove html_entity_decode to prevent encoding issues (#454)

I've tested this on content which includes MarkDown, HTML, encoded entities, unencoded entities, etc.

Fixes #445

Co-authored-by: Matthias Pfefferle <pfefferle@users.noreply.github.com>

* remove allowed tags

---------

Co-authored-by: Terence Eden <edent@users.noreply.github.com>
---
 includes/model/class-blog-user.php  |  8 ++++-
 includes/transformer/class-post.php | 54 -----------------------------
 2 files changed, 7 insertions(+), 55 deletions(-)

diff --git a/includes/model/class-blog-user.php b/includes/model/class-blog-user.php
index 062b616..21a066e 100644
--- a/includes/model/class-blog-user.php
+++ b/includes/model/class-blog-user.php
@@ -67,7 +67,13 @@ class Blog_User extends User {
 	 * @return string The User-Name.
 	 */
 	public function get_name() {
-		return \esc_html( \get_bloginfo( 'name' ) );
+		return \wp_strip_all_tags(
+			\html_entity_decode(
+				\get_bloginfo( 'name' ),
+				\ENT_QUOTES,
+				'UTF-8'
+			)
+		);
 	}
 
 	/**
diff --git a/includes/transformer/class-post.php b/includes/transformer/class-post.php
index 286b91f..d22304f 100644
--- a/includes/transformer/class-post.php
+++ b/includes/transformer/class-post.php
@@ -30,58 +30,6 @@ class Post {
 	 */
 	protected $wp_post;
 
-	/**
-	 * The Allowed Tags, used in the content.
-	 *
-	 * @var array
-	 */
-	protected $allowed_tags = array(
-		'a' => array(
-			'href' => array(),
-			'title' => array(),
-			'class' => array(),
-			'rel' => array(),
-		),
-		'br' => array(),
-		'p' => array(
-			'class' => array(),
-		),
-		'span' => array(
-			'class' => array(),
-		),
-		'div' => array(
-			'class' => array(),
-		),
-		'ul' => array(),
-		'ol' => array(
-			'reversed' => array(),
-			'start'    => array(),
-		),
-		'li' => array(
-			'value' => array(),
-		),
-		'strong' => array(
-			'class' => array(),
-		),
-		'b' => array(
-			'class' => array(),
-		),
-		'i' => array(
-			'class' => array(),
-		),
-		'em' => array(
-			'class' => array(),
-		),
-		'blockquote' => array(),
-		'cite' => array(),
-		'code' => array(
-			'class' => array(),
-		),
-		'pre' => array(
-			'class' => array(),
-		),
-	);
-
 	/**
 	 * Static function to Transform a WP_Post Object.
 	 *
@@ -513,13 +461,11 @@ class Post {
 		$content = do_shortcode( $content );
 		wp_reset_postdata();
 
-		$content = \wp_kses( $content, $this->allowed_tags );
 		$content = \wpautop( $content );
 		$content = \preg_replace( '/[\n\r\t]/', '', $content );
 		$content = \trim( $content );
 
 		$content = \apply_filters( 'activitypub_the_content', $content, $post );
-		$content = \html_entity_decode( $content, \ENT_QUOTES, 'UTF-8' );
 
 		return $content;
 	}