From dfc620d10282d6af1302ab70adb8cb11915a2a30 Mon Sep 17 00:00:00 2001
From: Aaron Parecki <aaron@parecki.com>
Date: Sat, 13 Feb 2021 15:05:06 -0800
Subject: [PATCH] escape html tags when creating html version

---
 lib/XRay/Formats/Twitter.php                  |   3 +-
 tests/TwitterTest.php                         |   9 ++
 .../data/api.twitter.com/tweet-with-html.json | 113 ++++++++++++++++++
 3 files changed, 124 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/api.twitter.com/tweet-with-html.json

diff --git a/lib/XRay/Formats/Twitter.php b/lib/XRay/Formats/Twitter.php
index 56172c5..fdae499 100644
--- a/lib/XRay/Formats/Twitter.php
+++ b/lib/XRay/Formats/Twitter.php
@@ -277,7 +277,8 @@ class Twitter extends Format {
     // Twitter escapes & as &amp; in the text
     $text = html_entity_decode($text);
 
-    $html = str_replace("\n", "<br>\n", $text);
+    $html = htmlspecialchars($text);
+    $html = str_replace("\n", "<br>\n", $html);
 
     if(property_exists($entities, 'user_mentions')) {
       foreach($entities->user_mentions as $user) {
diff --git a/tests/TwitterTest.php b/tests/TwitterTest.php
index ba7492c..96d1d87 100644
--- a/tests/TwitterTest.php
+++ b/tests/TwitterTest.php
@@ -214,6 +214,15 @@ class TwitterTest extends PHPUnit_Framework_TestCase {
     $this->assertEquals("Hey <a href=\"https://twitter.com/OregonGovBrown\">@OregonGovBrown</a> <a href=\"https://twitter.com/tedwheeler\">@tedwheeler</a> day 16 of #BHM is for <a href=\"https://twitter.com/stream_pdx\">@stream_pdx</a>. An amazing podcast trailer run by <a href=\"https://twitter.com/tyeshasnow\">@tyeshasnow</a> helping to democratize story telling in #PDX. Folks can get training in the production of podcasts. <a href=\"https://twitter.com/siliconflorist\">@siliconflorist</a> #SupportBlackBusiness", $tweet['content']['html']);
   }
 
+  public function testTweetWithHTML() {
+    list($url, $json) = $this->loadTweet('tweet-with-html');
+
+    $data = $this->parse(['url' => $url, 'body' => $json]);
+
+    $this->assertContains('<script>', $data['data']['content']['text']);
+    $this->assertContains('&lt;script&gt;', $data['data']['content']['html']);
+  }
+
   public function testStreamingTweetWithLink() {
     list($url, $json) = $this->loadTweet('streaming-tweet-with-link');
     $data = $this->parse(['url' => $url, 'body' => $json]);
diff --git a/tests/data/api.twitter.com/tweet-with-html.json b/tests/data/api.twitter.com/tweet-with-html.json
new file mode 100644
index 0000000..864921a
--- /dev/null
+++ b/tests/data/api.twitter.com/tweet-with-html.json
@@ -0,0 +1,113 @@
+{
+  "created_at": "Wed Feb 10 12:56:18 +0000 2021",
+  "id": 1359486349984714754,
+  "id_str": "1359486349984714754",
+  "full_text": "@dhh Last year I finally gave myself permission to ignore the entire modern JavaScript ecosystem and go back to writing front-end code by typing library-free JavaScript into a &lt;script&gt; block... and it works great!\n\nDon't even need jQuery any more, native JS absorbed its best features",
+  "truncated": false,
+  "display_text_range": [
+    5,
+    290
+  ],
+  "entities": {
+    "hashtags": [
+
+    ],
+    "symbols": [
+
+    ],
+    "user_mentions": [
+      {
+        "screen_name": "dhh",
+        "name": "DHH",
+        "id": 14561327,
+        "id_str": "14561327",
+        "indices": [
+          0,
+          4
+        ]
+      }
+    ],
+    "urls": [
+
+    ]
+  },
+  "source": "<a href=\"http://twitter.com/download/iphone\" rel=\"nofollow\">Twitter for iPhone</a>",
+  "in_reply_to_status_id": 1359426190893862912,
+  "in_reply_to_status_id_str": "1359426190893862912",
+  "in_reply_to_user_id": 14561327,
+  "in_reply_to_user_id_str": "14561327",
+  "in_reply_to_screen_name": "dhh",
+  "user": {
+    "id": 12497,
+    "id_str": "12497",
+    "name": "Simon Willison",
+    "screen_name": "simonw",
+    "location": "San Francisco, CA",
+    "description": "Creator of @datasetteproj, co-creator Django. @JSKstanford Fellow 2020. Collector of @nichemuseums. Usually hanging out with @natbat and @cleopaws. He/Him",
+    "url": "https://t.co/wyNggeHZ8W",
+    "entities": {
+      "url": {
+        "urls": [
+          {
+            "url": "https://t.co/wyNggeHZ8W",
+            "expanded_url": "https://simonwillison.net/",
+            "display_url": "simonwillison.net",
+            "indices": [
+              0,
+              23
+            ]
+          }
+        ]
+      },
+      "description": {
+        "urls": [
+
+        ]
+      }
+    },
+    "protected": false,
+    "followers_count": 22281,
+    "friends_count": 4380,
+    "listed_count": 1310,
+    "created_at": "Wed Nov 15 13:18:50 +0000 2006",
+    "favourites_count": 34961,
+    "utc_offset": null,
+    "time_zone": null,
+    "geo_enabled": true,
+    "verified": true,
+    "statuses_count": 25772,
+    "lang": null,
+    "contributors_enabled": false,
+    "is_translator": false,
+    "is_translation_enabled": false,
+    "profile_background_color": "000000",
+    "profile_background_image_url": "http://abs.twimg.com/images/themes/theme1/bg.png",
+    "profile_background_image_url_https": "https://abs.twimg.com/images/themes/theme1/bg.png",
+    "profile_background_tile": false,
+    "profile_image_url": "http://pbs.twimg.com/profile_images/378800000261649705/be9cc55e64014e6d7663c50d7cb9fc75_normal.jpeg",
+    "profile_image_url_https": "https://pbs.twimg.com/profile_images/378800000261649705/be9cc55e64014e6d7663c50d7cb9fc75_normal.jpeg",
+    "profile_banner_url": "https://pbs.twimg.com/profile_banners/12497/1347977147",
+    "profile_link_color": "0000FF",
+    "profile_sidebar_border_color": "FFFFFF",
+    "profile_sidebar_fill_color": "FFFFFF",
+    "profile_text_color": "000000",
+    "profile_use_background_image": true,
+    "has_extended_profile": true,
+    "default_profile": false,
+    "default_profile_image": false,
+    "following": true,
+    "follow_request_sent": false,
+    "notifications": false,
+    "translator_type": "regular"
+  },
+  "geo": null,
+  "coordinates": null,
+  "place": null,
+  "contributors": null,
+  "is_quote_status": false,
+  "retweet_count": 2,
+  "favorite_count": 75,
+  "favorited": true,
+  "retweeted": false,
+  "lang": "en"
+}