Merge pull request SimpleMachines#8838 from jdarwood007/2.1/fix8820

Sesquipedalian · web-flow · commit a495fbe40fe8 · 2025-08-17T14:30:27.000-06:00
[2.1] Fix quotes in names for mention handling
diff --git a/Sources/Mentions.php b/Sources/Mentions.php
@@ -305,7 +305,7 @@ protected static function getPossibleMentions($body)
 			$count = count($match);
 
 			for ($i = 1; $i <= $count; $i++)
-				$names[] = $smcFunc['htmlspecialchars']($smcFunc['htmltrim'](implode('', array_slice($match, 0, $i))));
+				$names[] = $smcFunc['htmlspecialchars']($smcFunc['htmltrim'](implode('', array_slice($match, 0, $i))), ENT_QUOTES);
 		}
 
 		$names = array_unique($names);
diff --git a/Themes/default/scripts/mentions.js b/Themes/default/scripts/mentions.js
@@ -43,6 +43,25 @@ var atwhoConfig = {
 					callback(callbackArray);
 				}
 			});
+		},
+		tplEval: function (tpl, map, caller) {
+			var error, error1, template;
+			template = tpl;
+			try {
+			  if (typeof tpl !== 'string') {
+				template = tpl(map);
+			  }
+			  // When SCEditor is disabled, inserted names may contain some HTML if it was escaped.
+			  if (caller == 'onInsert') {
+			  	map['name'] = map['name'].toString().replace("&#034;", '"').replace('&#39;', "'");
+			  }
+			  return template.replace(/\$\{([^\}]*)\}/g, function(tag, key, pos) {
+				return map[key];
+			  });
+			} catch (error1) {
+			  error = error1;
+			  return "";
+			}
 		}
 	}
 };

Original file line number	Diff line number	Diff line change
`@@ -305,7 +305,7 @@ protected static function getPossibleMentions($body)`
`305`	`305`	`$count = count($match);`
`306`	`306`
`307`	`307`	`for ($i = 1; $i <= $count; $i++)`
`308`		`- $names[] = $smcFunc['htmlspecialchars']($smcFunc['htmltrim'](implode('', array_slice($match, 0, $i))));`
	`308`	`+ $names[] = $smcFunc['htmlspecialchars']($smcFunc['htmltrim'](implode('', array_slice($match, 0, $i))), ENT_QUOTES);`
`309`	`309`	`}`
`310`	`310`
`311`	`311`	`$names = array_unique($names);`