Skip to content

Commit 2190dc4

Browse files
J-BrkJ-Brk
authored
Double quote escaping (#260)
* TwitterCards.php - Equalize code structure Equalize code structure * Fixes #189 - Double quote escaping Implements double quote escaping & moved cleaning to separate function
1 parent 94fbb3b commit 2190dc4

File tree

2 files changed

+47
-3
lines changed

2 files changed

+47
-3
lines changed

src/SEOTools/OpenGraph.php

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -263,16 +263,36 @@ protected function eachProperties(
263263
*/
264264
protected function makeTag($key = null, $value = null, $ogPrefix = false)
265265
{
266-
$value = str_replace(['http-equiv=', 'url='], '', $value);
267266
return sprintf(
268267
'<meta property="%s%s" content="%s" />%s',
269268
$ogPrefix ? $this->og_prefix : '',
270269
strip_tags($key),
271-
strip_tags($value),
270+
$this->cleanTagValue($value),
272271
PHP_EOL
273272
);
274273
}
275274

275+
/**
276+
* Clean og tag value
277+
*
278+
* @param string $value meta property value
279+
*
280+
* @return string
281+
*/
282+
protected function cleanTagValue($value)
283+
{
284+
// Safety
285+
$value = str_replace(['http-equiv=', 'url='], '', $value);
286+
287+
// Escape double quotes
288+
$value = htmlspecialchars($value, ENT_QUOTES, null, false);
289+
290+
// Clean
291+
$value = strip_tags($value);
292+
293+
return $value;
294+
}
295+
276296
/**
277297
* Add or update property.
278298
*

src/SEOTools/TwitterCards.php

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,8 +83,32 @@ protected function eachValue(array $values, $prefix = null)
8383
*/
8484
private function makeTag($key, $value)
8585
{
86+
return sprintf(
87+
'<meta name="%s" content="%s" />',
88+
$this->prefix.strip_tags($key),
89+
$this->cleanTagValue($value)
90+
);
91+
}
92+
93+
/**
94+
* Clean tag value
95+
*
96+
* @param string $value meta content value
97+
*
98+
* @return string
99+
*/
100+
protected function cleanTagValue($value)
101+
{
102+
// Safety
86103
$value = str_replace(['http-equiv=', 'url='], '', $value);
87-
return '<meta name="'.$this->prefix.strip_tags($key).'" content="'.strip_tags($value).'" />';
104+
105+
// Escape double quotes
106+
$value = htmlspecialchars($value, ENT_QUOTES, null, false);
107+
108+
// Clean
109+
$value = strip_tags($value);
110+
111+
return $value;
88112
}
89113

90114
/**

0 commit comments

Comments
 (0)