Double quote escaping (#260)

* TwitterCards.php - Equalize code structure Equalize code structure * Fixes #189 - Double quote escaping Implements double quote escaping & moved cleaning to separate function
artesaos · Feb 6, 2022 · 2190dc4 · 2190dc4
1 parent 94fbb3b
commit 2190dc4
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 3 deletions.
diff --git a/src/SEOTools/OpenGraph.php b/src/SEOTools/OpenGraph.php
@@ -263,16 +263,36 @@ protected function eachProperties(
      */
     protected function makeTag($key = null, $value = null, $ogPrefix = false)
     {
-        $value = str_replace(['http-equiv=', 'url='], '', $value);
         return sprintf(
             '<meta property="%s%s" content="%s" />%s',
             $ogPrefix ? $this->og_prefix : '',
             strip_tags($key),
-            strip_tags($value),
+            $this->cleanTagValue($value),
             PHP_EOL
         );
     }
 
+    /**
+     * Clean og tag value
+     *
+     * @param string $value    meta property value
+     *
+     * @return string
+     */
+    protected function cleanTagValue($value)
+    {
+        // Safety
+        $value = str_replace(['http-equiv=', 'url='], '', $value);
+
+        // Escape double quotes
+        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
+
+        // Clean
+        $value = strip_tags($value);
+
+        return $value;
+    }
+
     /**
      * Add or update property.
      *

diff --git a/src/SEOTools/TwitterCards.php b/src/SEOTools/TwitterCards.php
@@ -83,8 +83,32 @@ protected function eachValue(array $values, $prefix = null)
      */
     private function makeTag($key, $value)
     {
+        return sprintf(
+            '<meta name="%s" content="%s" />',
+            $this->prefix.strip_tags($key),
+            $this->cleanTagValue($value)
+        );
+    }
+
+    /**
+     * Clean tag value
+     *
+     * @param string $value    meta content value
+     *
+     * @return string
+     */
+    protected function cleanTagValue($value)
+    {
+        // Safety
         $value = str_replace(['http-equiv=', 'url='], '', $value);
-        return '<meta name="'.$this->prefix.strip_tags($key).'" content="'.strip_tags($value).'" />';
+
+        // Escape double quotes
+        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
+
+        // Clean
+        $value = strip_tags($value);
+
+        return $value;
     }
 
     /**