From d045721575d8330d4c9b813d32ba27c2aca86141 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 7 Jun 2025 14:23:35 +0200 Subject: [PATCH 1/2] Use ZVAL_NEW_STR() for new string in php_filter_encode_html() --- ext/filter/sanitizing_filters.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c index 7f8b4948d5818..d619bb0fc13a7 100644 --- a/ext/filter/sanitizing_filters.c +++ b/ext/filter/sanitizing_filters.c @@ -49,7 +49,7 @@ static void php_filter_encode_html(zval *value, const unsigned char *chars) } zval_ptr_dtor(value); - ZVAL_STR(value, smart_str_extract(&str)); + ZVAL_NEW_STR(value, smart_str_extract(&str)); } static const unsigned char hexchars[] = "0123456789ABCDEF"; From 896abd1a333bf04d470ab3e6cd57c20ba8bbce66 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 7 Jun 2025 14:28:44 +0200 Subject: [PATCH 2/2] Output blocks of safe chars in php_filter_encode_html() Fixes a long-standing TODO, and is faster. --- ext/filter/sanitizing_filters.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c index d619bb0fc13a7..ebc20e47711db 100644 --- a/ext/filter/sanitizing_filters.c +++ b/ext/filter/sanitizing_filters.c @@ -31,6 +31,7 @@ static void php_filter_encode_html(zval *value, const unsigned char *chars) size_t len = Z_STRLEN_P(value); unsigned char *s = (unsigned char *)Z_STRVAL_P(value); unsigned char *e = s + len; + unsigned char *last_output = s; if (Z_STRLEN_P(value) == 0) { return; @@ -38,16 +39,17 @@ static void php_filter_encode_html(zval *value, const unsigned char *chars) while (s < e) { if (chars[*s]) { + smart_str_appendl(&str, (const char *) last_output, s - last_output); smart_str_appendl(&str, "&#", 2); smart_str_append_unsigned(&str, (zend_ulong)*s); smart_str_appendc(&str, ';'); - } else { - /* XXX: this needs to be optimized to work with blocks of 'safe' chars */ - smart_str_appendc(&str, *s); + last_output = s + 1; } s++; } + smart_str_appendl(&str, (const char *) last_output, s - last_output); + zval_ptr_dtor(value); ZVAL_NEW_STR(value, smart_str_extract(&str)); }