From 124afc2054529b080abd0b9629b0673edad279e9 Mon Sep 17 00:00:00 2001 From: Eldon Koyle Date: Thu, 3 Mar 2016 11:02:17 -0700 Subject: [PATCH] Don't escape single quotes in alert templates so that we can compare strings in if statements --- alerts.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/alerts.php b/alerts.php index fc27e130fe..0948045a97 100755 --- a/alerts.php +++ b/alerts.php @@ -359,6 +359,18 @@ function ExtTransports($obj) { }//end ExtTransports() +/** + * Escape certain characters in template string + * @param string $tpl Template + * @return string + */ +function TplEscape($tpl) { + // theoretically like addslashes(), but don't escape single quote (') and do escape $ + // FIXME: is there still a way to break out of the double-quoted string, maybe with a unicode char? + return preg_replace('(["\\\\$\\0])','\\0',$tpl); +} + + /** * Format Alert * @param array $obj Alert-Array @@ -366,7 +378,7 @@ function ExtTransports($obj) { */ function FormatAlertTpl($obj) { $tpl = $obj["template"]; - $msg = '$ret .= "'.str_replace(array('{else}', '{/if}', '{/foreach}'), array('"; } else { $ret .= "', '"; } $ret .= "', '"; } $ret .= "'), addslashes($tpl)).'";'; + $msg = '$ret .= "'.str_replace(array('{else}', '{/if}', '{/foreach}'), array('"; } else { $ret .= "', '"; } $ret .= "', '"; } $ret .= "'), TplEscape($tpl)).'";'; $parsed = $msg; $s = strlen($msg); $x = $pos = -1;