From cbfe6ea43199ac1ac679bee83b5ae647c17915a5 Mon Sep 17 00:00:00 2001
From: Alex Kirk <akirk@users.noreply.github.com>
Date: Fri, 27 Jan 2023 16:50:04 +0100
Subject: [PATCH 1/4] Protect code HTML

---
 includes/class-hashtag.php               | 12 +++++++++++-
 includes/class-mention.php               | 12 +++++++++++-
 tests/test-class-activitypub-hashtag.php | 13 +++++++++++++
 tests/test-class-activitypub-mention.php |  6 ++++--
 4 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/includes/class-hashtag.php b/includes/class-hashtag.php
index 342320d..41ed483 100644
--- a/includes/class-hashtag.php
+++ b/includes/class-hashtag.php
@@ -20,7 +20,7 @@ class Hashtag {
 	/**
 	 * Filter to save #tags as real WordPress tags
 	 *
-	 * @param int $id the rev-id
+	 * @param int     $id the rev-id
 	 * @param WP_Post $post the post
 	 *
 	 * @return
@@ -44,6 +44,16 @@ class Hashtag {
 	 */
 	public static function the_content( $the_content ) {
 		$protected_tags = array();
+		$the_content = preg_replace_callback(
+			'#<(code|textarea|style)\b[^>]*>.*?</\1[^>]*>#i',
+			function( $m ) use ( &$protected_tags ) {
+				$c = count( $protected_tags );
+				$protect = '!#!#PROTECT' . $c . '#!#!';
+				$protected_tags[ $protect ] = $m[0];
+				return $protect;
+			},
+			$the_content
+		);
 		$the_content = preg_replace_callback(
 			'#<[^>]+>#i',
 			function( $m ) use ( &$protected_tags ) {
diff --git a/includes/class-mention.php b/includes/class-mention.php
index 0227d8a..23c0c59 100644
--- a/includes/class-mention.php
+++ b/includes/class-mention.php
@@ -24,6 +24,16 @@ class Mention {
 	 */
 	public static function the_content( $the_content ) {
 		$protected_tags = array();
+		$the_content = preg_replace_callback(
+			'#<(code|textarea|style)\b[^>]*>.*?</\1[^>]*>#i',
+			function( $m ) use ( &$protected_tags ) {
+				$c = count( $protected_tags );
+				$protect = '!#!#PROTECT' . $c . '#!#!';
+				$protected_tags[ $protect ] = $m[0];
+				return $protect;
+			},
+			$the_content
+		);
 		$the_content = preg_replace_callback(
 			'#<a.*?href=[^>]+>.*?</a>#i',
 			function( $m ) use ( &$protected_tags ) {
@@ -68,7 +78,7 @@ class Mention {
 	/**
 	 * Extract the mentions from the post_content.
 	 *
-	 * @param array $mentions The already found mentions.
+	 * @param array  $mentions The already found mentions.
 	 * @param string $post_content The post content.
 	 * @return mixed The discovered mentions.
 	 */
diff --git a/tests/test-class-activitypub-hashtag.php b/tests/test-class-activitypub-hashtag.php
index 5c207bd..0c7c6b0 100644
--- a/tests/test-class-activitypub-hashtag.php
+++ b/tests/test-class-activitypub-hashtag.php
@@ -5,6 +5,7 @@ class Test_Activitypub_Hashtag extends WP_UnitTestCase {
 	 */
 	public function test_the_content( $content, $content_with_hashtag ) {
 		\wp_create_term( 'object', 'post_tag' );
+		\wp_create_term( 'ccc', 'post_tag' );
 		$object = \get_term_by( 'name', 'object', 'post_tag' );
 		$link = \get_term_link( $object, 'post_tag' );
 
@@ -14,6 +15,15 @@ class Test_Activitypub_Hashtag extends WP_UnitTestCase {
 	}
 
 	public function the_content_provider() {
+		$code = '<code>text with some #object and <a> tag inside</code>';
+		$style = <<<ENDSTYLE
+<style type="text/css">
+<![[
+color: #ccc;
+]]>
+</style>
+ENDSTYLE;
+		$textarea = '<textarea name="test" rows="20">color: #ccc</textarea>';
 		return array(
 			array( 'test', 'test' ),
 			array( '#test', '#test' ),
@@ -27,6 +37,9 @@ class Test_Activitypub_Hashtag extends WP_UnitTestCase {
 			array( '<div>#object</div>', '<div>#object</div>' ),
 			array( '<a>#object</a>', '<a>#object</a>' ),
 			array( '<div style="color: #ccc;">object</a>', '<div style="color: #ccc;">object</a>' ),
+			array( $code, $code ),
+			array( $style, $style ),
+			array( $textarea, $textarea ),
 		);
 	}
 }
diff --git a/tests/test-class-activitypub-mention.php b/tests/test-class-activitypub-mention.php
index e777dff..e4054d0 100644
--- a/tests/test-class-activitypub-mention.php
+++ b/tests/test-class-activitypub-mention.php
@@ -2,8 +2,8 @@
 class Test_Activitypub_Mention extends ActivityPub_TestCase_Cache_HTTP {
 	public static $users = array(
 		'username@example.org' => array(
-			'url' => 'https://example.org/users/username',
-			'name'  => 'username',
+			'url'  => 'https://example.org/users/username',
+			'name' => 'username',
 		),
 	);
 	/**
@@ -18,12 +18,14 @@ class Test_Activitypub_Mention extends ActivityPub_TestCase_Cache_HTTP {
 	}
 
 	public function the_content_provider() {
+		$code = 'hallo <code>@username@example.org</code> test';
 		return array(
 			array( 'hallo @username@example.org test', 'hallo <a rel="mention" class="u-url mention" href="https://example.org/users/username">@<span>username</span></a> test' ),
 			array( 'hallo @pfefferle@notiz.blog test', 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/author/matthias-pfefferle/">@<span>pfefferle</span></a> test' ),
 			array( 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/author/matthias-pfefferle/">@<span>pfefferle</span>@notiz.blog</a> test', 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/author/matthias-pfefferle/">@<span>pfefferle</span>@notiz.blog</a> test' ),
 			array( 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/author/matthias-pfefferle/">@pfefferle@notiz.blog</a> test', 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/author/matthias-pfefferle/">@pfefferle@notiz.blog</a> test' ),
 			array( 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/@pfefferle/">@pfefferle@notiz.blog</a> test', 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/@pfefferle/">@pfefferle@notiz.blog</a> test' ),
+			array( $code, $code ),
 		);
 	}
 

From e7894f4c4addf4a9b20d76ca9158f0ec3ac78e62 Mon Sep 17 00:00:00 2001
From: Alex Kirk <akirk@users.noreply.github.com>
Date: Fri, 27 Jan 2023 16:55:52 +0100
Subject: [PATCH 2/4] Also protect <pre>

---
 includes/class-hashtag.php               | 2 +-
 includes/class-mention.php               | 2 +-
 tests/test-class-activitypub-hashtag.php | 8 ++++++++
 tests/test-class-activitypub-mention.php | 7 +++++++
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/includes/class-hashtag.php b/includes/class-hashtag.php
index 41ed483..cbdb7df 100644
--- a/includes/class-hashtag.php
+++ b/includes/class-hashtag.php
@@ -45,7 +45,7 @@ class Hashtag {
 	public static function the_content( $the_content ) {
 		$protected_tags = array();
 		$the_content = preg_replace_callback(
-			'#<(code|textarea|style)\b[^>]*>.*?</\1[^>]*>#i',
+			'#<(pre|code|textarea|style)\b[^>]*>.*?</\1[^>]*>#is',
 			function( $m ) use ( &$protected_tags ) {
 				$c = count( $protected_tags );
 				$protect = '!#!#PROTECT' . $c . '#!#!';
diff --git a/includes/class-mention.php b/includes/class-mention.php
index 23c0c59..1912dfa 100644
--- a/includes/class-mention.php
+++ b/includes/class-mention.php
@@ -25,7 +25,7 @@ class Mention {
 	public static function the_content( $the_content ) {
 		$protected_tags = array();
 		$the_content = preg_replace_callback(
-			'#<(code|textarea|style)\b[^>]*>.*?</\1[^>]*>#i',
+			'#<(pre|code|textarea|style)\b[^>]*>.*?</\1[^>]*>#is',
 			function( $m ) use ( &$protected_tags ) {
 				$c = count( $protected_tags );
 				$protect = '!#!#PROTECT' . $c . '#!#!';
diff --git a/tests/test-class-activitypub-hashtag.php b/tests/test-class-activitypub-hashtag.php
index 0c7c6b0..319b47d 100644
--- a/tests/test-class-activitypub-hashtag.php
+++ b/tests/test-class-activitypub-hashtag.php
@@ -5,6 +5,7 @@ class Test_Activitypub_Hashtag extends WP_UnitTestCase {
 	 */
 	public function test_the_content( $content, $content_with_hashtag ) {
 		\wp_create_term( 'object', 'post_tag' );
+		\wp_create_term( 'touch', 'post_tag' );
 		\wp_create_term( 'ccc', 'post_tag' );
 		$object = \get_term_by( 'name', 'object', 'post_tag' );
 		$link = \get_term_link( $object, 'post_tag' );
@@ -23,6 +24,12 @@ color: #ccc;
 ]]>
 </style>
 ENDSTYLE;
+		$pre = <<<ENDPRE
+<pre>
+Please don't #touch
+  this.
+</pre>
+ENDPRE;
 		$textarea = '<textarea name="test" rows="20">color: #ccc</textarea>';
 		return array(
 			array( 'test', 'test' ),
@@ -40,6 +47,7 @@ ENDSTYLE;
 			array( $code, $code ),
 			array( $style, $style ),
 			array( $textarea, $textarea ),
+			array( $pre, $pre ),
 		);
 	}
 }
diff --git a/tests/test-class-activitypub-mention.php b/tests/test-class-activitypub-mention.php
index e4054d0..6f6b9ff 100644
--- a/tests/test-class-activitypub-mention.php
+++ b/tests/test-class-activitypub-mention.php
@@ -19,6 +19,12 @@ class Test_Activitypub_Mention extends ActivityPub_TestCase_Cache_HTTP {
 
 	public function the_content_provider() {
 		$code = 'hallo <code>@username@example.org</code> test';
+		$pre = <<<ENDPRE
+<pre>
+Please don't mention @username@example.org
+  here.
+</pre>
+ENDPRE;
 		return array(
 			array( 'hallo @username@example.org test', 'hallo <a rel="mention" class="u-url mention" href="https://example.org/users/username">@<span>username</span></a> test' ),
 			array( 'hallo @pfefferle@notiz.blog test', 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/author/matthias-pfefferle/">@<span>pfefferle</span></a> test' ),
@@ -26,6 +32,7 @@ class Test_Activitypub_Mention extends ActivityPub_TestCase_Cache_HTTP {
 			array( 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/author/matthias-pfefferle/">@pfefferle@notiz.blog</a> test', 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/author/matthias-pfefferle/">@pfefferle@notiz.blog</a> test' ),
 			array( 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/@pfefferle/">@pfefferle@notiz.blog</a> test', 'hallo <a rel="mention" class="u-url mention" href="https://notiz.blog/@pfefferle/">@pfefferle@notiz.blog</a> test' ),
 			array( $code, $code ),
+			array( $pre, $pre ),
 		);
 	}
 

From 6ea46c5024db00d16b7789159f6fcb05cba09663 Mon Sep 17 00:00:00 2001
From: Alex Kirk <akirk@users.noreply.github.com>
Date: Fri, 27 Jan 2023 16:59:15 +0100
Subject: [PATCH 3/4] Protect cdata

---
 includes/class-hashtag.php               | 25 ++++++++++++------------
 includes/class-mention.php               | 25 ++++++++++++------------
 tests/test-class-activitypub-hashtag.php |  2 +-
 3 files changed, 27 insertions(+), 25 deletions(-)

diff --git a/includes/class-hashtag.php b/includes/class-hashtag.php
index cbdb7df..9ce8b34 100644
--- a/includes/class-hashtag.php
+++ b/includes/class-hashtag.php
@@ -44,24 +44,25 @@ class Hashtag {
 	 */
 	public static function the_content( $the_content ) {
 		$protected_tags = array();
+		$protect = function( $m ) use ( &$protected_tags ) {
+			$c = count( $protected_tags );
+			$protect = '!#!#PROTECT' . $c . '#!#!';
+			$protected_tags[ $protect ] = $m[0];
+			return $protect;
+		};
+		$the_content = preg_replace_callback(
+			'#<![CDATA[.*?]]>#is',
+			$protect,
+			$the_content
+		);
 		$the_content = preg_replace_callback(
 			'#<(pre|code|textarea|style)\b[^>]*>.*?</\1[^>]*>#is',
-			function( $m ) use ( &$protected_tags ) {
-				$c = count( $protected_tags );
-				$protect = '!#!#PROTECT' . $c . '#!#!';
-				$protected_tags[ $protect ] = $m[0];
-				return $protect;
-			},
+			$protect,
 			$the_content
 		);
 		$the_content = preg_replace_callback(
 			'#<[^>]+>#i',
-			function( $m ) use ( &$protected_tags ) {
-				$c = count( $protected_tags );
-				$protect = '!#!#PROTECT' . $c . '#!#!';
-				$protected_tags[ $protect ] = $m[0];
-				return $protect;
-			},
+			$protect,
 			$the_content
 		);
 
diff --git a/includes/class-mention.php b/includes/class-mention.php
index 1912dfa..7012e40 100644
--- a/includes/class-mention.php
+++ b/includes/class-mention.php
@@ -24,24 +24,25 @@ class Mention {
 	 */
 	public static function the_content( $the_content ) {
 		$protected_tags = array();
+		$protect = function( $m ) use ( &$protected_tags ) {
+			$c = count( $protected_tags );
+			$protect = '!#!#PROTECT' . $c . '#!#!';
+			$protected_tags[ $protect ] = $m[0];
+			return $protect;
+		};
+		$the_content = preg_replace_callback(
+			'#<![CDATA[.*?]]>#is',
+			$protect,
+			$the_content
+		);
 		$the_content = preg_replace_callback(
 			'#<(pre|code|textarea|style)\b[^>]*>.*?</\1[^>]*>#is',
-			function( $m ) use ( &$protected_tags ) {
-				$c = count( $protected_tags );
-				$protect = '!#!#PROTECT' . $c . '#!#!';
-				$protected_tags[ $protect ] = $m[0];
-				return $protect;
-			},
+			$protect,
 			$the_content
 		);
 		$the_content = preg_replace_callback(
 			'#<a.*?href=[^>]+>.*?</a>#i',
-			function( $m ) use ( &$protected_tags ) {
-				$c = count( $protected_tags );
-				$protect = '!#!#PROTECT' . $c . '#!#!';
-				$protected_tags[ $protect ] = $m[0];
-				return $protect;
-			},
+			$protect,
 			$the_content
 		);
 
diff --git a/tests/test-class-activitypub-hashtag.php b/tests/test-class-activitypub-hashtag.php
index 319b47d..51a532c 100644
--- a/tests/test-class-activitypub-hashtag.php
+++ b/tests/test-class-activitypub-hashtag.php
@@ -19,7 +19,7 @@ class Test_Activitypub_Hashtag extends WP_UnitTestCase {
 		$code = '<code>text with some #object and <a> tag inside</code>';
 		$style = <<<ENDSTYLE
 <style type="text/css">
-<![[
+<![CDATA[
 color: #ccc;
 ]]>
 </style>

From 7e3a5f4e6818a9488ecfff4de6f9726647d3c733 Mon Sep 17 00:00:00 2001
From: Alex Kirk <akirk@users.noreply.github.com>
Date: Fri, 27 Jan 2023 17:23:25 +0100
Subject: [PATCH 4/4] Handle double protect

---
 includes/class-hashtag.php | 4 ++--
 includes/class-mention.php | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/includes/class-hashtag.php b/includes/class-hashtag.php
index 9ce8b34..b14a8fa 100644
--- a/includes/class-hashtag.php
+++ b/includes/class-hashtag.php
@@ -51,7 +51,7 @@ class Hashtag {
 			return $protect;
 		};
 		$the_content = preg_replace_callback(
-			'#<![CDATA[.*?]]>#is',
+			'#<!\[CDATA\[.*?\]\]>#is',
 			$protect,
 			$the_content
 		);
@@ -68,7 +68,7 @@ class Hashtag {
 
 		$the_content = \preg_replace_callback( '/' . ACTIVITYPUB_HASHTAGS_REGEXP . '/i', array( '\Activitypub\Hashtag', 'replace_with_links' ), $the_content );
 
-		$the_content = str_replace( array_keys( $protected_tags ), array_values( $protected_tags ), $the_content );
+		$the_content = str_replace( array_reverse( array_keys( $protected_tags ) ), array_reverse( array_values( $protected_tags ) ), $the_content );
 
 		return $the_content;
 	}
diff --git a/includes/class-mention.php b/includes/class-mention.php
index 7012e40..7c8672a 100644
--- a/includes/class-mention.php
+++ b/includes/class-mention.php
@@ -31,7 +31,7 @@ class Mention {
 			return $protect;
 		};
 		$the_content = preg_replace_callback(
-			'#<![CDATA[.*?]]>#is',
+			'#<!\[CDATA\[.*?\]\]>#is',
 			$protect,
 			$the_content
 		);
@@ -48,7 +48,7 @@ class Mention {
 
 		$the_content = \preg_replace_callback( '/@' . ACTIVITYPUB_USERNAME_REGEXP . '/', array( '\Activitypub\Mention', 'replace_with_links' ), $the_content );
 
-		$the_content = str_replace( array_keys( $protected_tags ), array_values( $protected_tags ), $the_content );
+		$the_content = str_replace( array_reverse( array_keys( $protected_tags ) ), array_reverse( array_values( $protected_tags ) ), $the_content );
 
 		return $the_content;
 	}