From 428ea2f34ebc1f76780e049c969f22ad9355bdd6 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 1 Feb 2020 08:09:30 +0100
Subject: [PATCH 1/4] adding test that expects parameters of php translation to
 get HTML entities to get encoded

---
 tst/I18nTest.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tst/I18nTest.php b/tst/I18nTest.php
index f366720a..658ceb18 100644
--- a/tst/I18nTest.php
+++ b/tst/I18nTest.php
@@ -155,6 +155,13 @@ class I18nTest extends PHPUnit_Framework_TestCase
         $this->assertEquals('some string + 1', I18n::_('some %s + %d', 'string', 1), 'browser language en');
     }
 
+    public function testHtmlEntityEncoding()
+    {
+        $_SERVER['HTTP_ACCEPT_LANGUAGE'] = 'foobar';
+        I18n::loadTranslations();
+        $this->assertEquals('some ' . htmlentities('&<>"\'/`=', ENT_QUOTES | ENT_XHTML | ENT_DISALLOWED, 'UTF-8') . ' + 1', I18n::_('some %s + %d', '&<>"\'/`=', 1), 'browser language en');
+    }
+
     public function testMessageIdsExistInAllLanguages()
     {
         $messageIds = array();

From cc0920fc09b43803bc5323724e555f3b400fc32d Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 1 Feb 2020 08:46:59 +0100
Subject: [PATCH 2/4] add HTML entity encoding to PHP translation logic, remove
 exception to allow <br/> tags in DOMpurify by eliminating the single case
 that made use of it

---
 i18n/bg.json      | 4 ++--
 i18n/cs.json      | 4 ++--
 i18n/de.json      | 4 ++--
 i18n/es.json      | 4 ++--
 i18n/fr.json      | 4 ++--
 i18n/hu.json      | 2 +-
 i18n/it.json      | 4 ++--
 i18n/nl.json      | 4 ++--
 i18n/no.json      | 4 ++--
 i18n/oc.json      | 4 ++--
 i18n/pl.json      | 2 +-
 i18n/pt.json      | 4 ++--
 i18n/ru.json      | 4 ++--
 i18n/sl.json      | 4 ++--
 i18n/uk.json      | 4 ++--
 i18n/zh.json      | 4 ++--
 js/privatebin.js  | 2 +-
 js/test/I18n.js   | 6 +++---
 lib/I18n.php      | 9 +++++++++
 tpl/bootstrap.php | 4 ++--
 tpl/page.php      | 4 ++--
 21 files changed, 47 insertions(+), 38 deletions(-)

diff --git a/i18n/bg.json b/i18n/bg.json
index 632bedb3..c87c1afd 100644
--- a/i18n/bg.json
+++ b/i18n/bg.json
@@ -31,8 +31,8 @@
         "Невалиден код за изтриване. Информацията Ви не беше изтрита.",
     "Paste was properly deleted.":
         "Информацията Ви е изтрита.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "Услугата %s се нуждае от JavaScript, за да работи.<br />Съжаляваме за неудобството.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "Услугата %s се нуждае от JavaScript, за да работи. Съжаляваме за неудобството.",
     "%s requires a modern browser to work.":
         "%s се нуждае от съвременен браузър за да работи.",
     "New":
diff --git a/i18n/cs.json b/i18n/cs.json
index 02a55513..a199bc56 100644
--- a/i18n/cs.json
+++ b/i18n/cs.json
@@ -31,8 +31,8 @@
         "Wrong deletion token. Paste was not deleted.",
     "Paste was properly deleted.":
         "Paste was properly deleted.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "JavaScript is required for %s to work.<br />Sorry for the inconvenience.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "JavaScript is required for %s to work. Sorry for the inconvenience.",
     "%s requires a modern browser to work.":
         "%%s requires a modern browser to work.",
     "New":
diff --git a/i18n/de.json b/i18n/de.json
index 2c883dfe..31eec787 100644
--- a/i18n/de.json
+++ b/i18n/de.json
@@ -31,8 +31,8 @@
         "Falscher Lösch-Code. Text wurde nicht gelöscht.",
     "Paste was properly deleted.":
         "Text wurde erfolgreich gelöscht.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "JavaScript ist eine Voraussetzung, um %s zu nutzen.<br />Bitte entschuldige die Unannehmlichkeiten.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "JavaScript ist eine Voraussetzung, um %s zu nutzen. Bitte entschuldige die Unannehmlichkeiten.",
     "%s requires a modern browser to work.":
         "%s setzt einen modernen Browser voraus, um funktionieren zu können.",
     "New":
diff --git a/i18n/es.json b/i18n/es.json
index 93509874..df1e054f 100644
--- a/i18n/es.json
+++ b/i18n/es.json
@@ -31,8 +31,8 @@
         "Token de eliminación erróneo. El \"paste\" no fue eliminado.",
     "Paste was properly deleted.":
         "El \"paste\" se ha eliminado correctamente.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "JavaScript es necesario para que %s funcione.<br />Sentimos los inconvenientes ocasionados.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "JavaScript es necesario para que %s funcione. Sentimos los inconvenientes ocasionados.",
     "%s requires a modern browser to work.":
         "%s requiere un navegador moderno para funcionar.",
     "New":
diff --git a/i18n/fr.json b/i18n/fr.json
index 9af77fb1..5cb87976 100644
--- a/i18n/fr.json
+++ b/i18n/fr.json
@@ -31,8 +31,8 @@
         "Jeton de suppression incorrect. Le paste n'a pas été supprimé.",
     "Paste was properly deleted.":
         "Le paste a été correctement supprimé.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "JavaScript est requis pour faire fonctionner %s. <br />Désolé pour cet inconvénient.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "JavaScript est requis pour faire fonctionner %s. Désolé pour cet inconvénient.",
     "%s requires a modern browser to work.":
         "%s nécessite un navigateur moderne pour fonctionner.",
     "New":
diff --git a/i18n/hu.json b/i18n/hu.json
index 57076d9c..f55efdcb 100644
--- a/i18n/hu.json
+++ b/i18n/hu.json
@@ -31,7 +31,7 @@
         "Hibás törlési azonosító. A bejegyzés nem lett törölve.",
     "Paste was properly deleted.":
         "A bejegyzés sikeresen törölve.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
         "JavaScript szükséges a %s működéséhez. Elnézést a fennakadásért.",
     "%s requires a modern browser to work.":
         "A %s működéséhez a jelenleginél újabb böngészőre van szükség.",
diff --git a/i18n/it.json b/i18n/it.json
index 26b11c6c..2a2bff50 100644
--- a/i18n/it.json
+++ b/i18n/it.json
@@ -31,8 +31,8 @@
         "Codice cancellazione errato. Il messaggio NON è stato cancellato.",
     "Paste was properly deleted.":
         "Il messaggio è stato correttamente cancellato.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "%s funziona solo con JavaScript attivo.<br />Ci dispiace per l'inconveniente.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "%s funziona solo con JavaScript attivo. Ci dispiace per l'inconveniente.",
     "%s requires a modern browser to work.":
         "%s richiede un browser moderno e aggiornato per funzionare.",
     "New":
diff --git a/i18n/nl.json b/i18n/nl.json
index d6780c39..d3bdb720 100644
--- a/i18n/nl.json
+++ b/i18n/nl.json
@@ -31,8 +31,8 @@
         "Foutieve verwijdercode. Geplakte tekst is niet verwijderd.",
     "Paste was properly deleted.":
         "Geplakte tekst is correct verwijderd.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "JavaScript vereist om %s te laten werken.<br />Sorry voor het ongemak.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "JavaScript vereist om %s te laten werken. Sorry voor het ongemak.",
     "%s requires a modern browser to work.":
         "%s vereist een moderne browser om te kunnen werken ",
     "New":
diff --git a/i18n/no.json b/i18n/no.json
index ccb5f2c7..f43ef6e4 100644
--- a/i18n/no.json
+++ b/i18n/no.json
@@ -31,8 +31,8 @@
         "Feil slettingsnøkkel. Innlegg ble ikke fjernet.",
     "Paste was properly deleted.":
         "Innlegget er slettet.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "Javascript kreves for at %s skal fungere<br />Beklager.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "Javascript kreves for at %s skal fungere. Beklager.",
     "%s requires a modern browser to work.":
         "%s krever en moderne nettleser for å fungere.",
     "New":
diff --git a/i18n/oc.json b/i18n/oc.json
index 7f9ad2a0..c078faed 100644
--- a/i18n/oc.json
+++ b/i18n/oc.json
@@ -31,8 +31,8 @@
         "Geton de supression incorrècte. Lo tèxte es pas estat suprimit.",
     "Paste was properly deleted.":
         "Lo tèxte es estat corrèctament  suprimit.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "JavaScript es requesit per far foncionar %s. <br />O planhèm per l’inconvenient.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "JavaScript es requesit per far foncionar %s. O planhèm per l’inconvenient.",
     "%s requires a modern browser to work.":
         "%s necessita un navigator modèrn per foncionar.",
     "New":
diff --git a/i18n/pl.json b/i18n/pl.json
index ff27c473..3517b076 100644
--- a/i18n/pl.json
+++ b/i18n/pl.json
@@ -31,7 +31,7 @@
         "Nieprawidłowy token usuwania. Wklejka nie została usunięta.",
     "Paste was properly deleted.":
         "Wklejka usunięta poprawnie.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
         "Do działania %sa jest wymagany JavaScript. Przepraszamy za tę niedogodność.",
     "%s requires a modern browser to work.":
         "%s wymaga do działania nowoczesnej przeglądarki.",
diff --git a/i18n/pt.json b/i18n/pt.json
index 6ccd9d39..6dc1f405 100644
--- a/i18n/pt.json
+++ b/i18n/pt.json
@@ -31,8 +31,8 @@
         "Token de remoção inválido. A cópia não foi excluída.",
     "Paste was properly deleted.":
         "A cópia foi devidamente excluída.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "JavaScript é necessário para que %s funcione.<br />Pedimos desculpas pela inconveniência.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "JavaScript é necessário para que %s funcione. Pedimos desculpas pela inconveniência.",
     "%s requires a modern browser to work.":
         "%s requer um navegador moderno para funcionar.",
     "New":
diff --git a/i18n/ru.json b/i18n/ru.json
index c65d5e9d..8973f24c 100644
--- a/i18n/ru.json
+++ b/i18n/ru.json
@@ -31,8 +31,8 @@
         "Неверный ключ удаления записи. Запись не удалена.",
     "Paste was properly deleted.":
         "Запись была успешно удалена.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "Для работы %s требуется включенный JavaScript.<br />Приносим извинения за неудобства.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "Для работы %s требуется включенный JavaScript. Приносим извинения за неудобства.",
     "%s requires a modern browser to work.":
         "Для работы %s требуется более современный браузер.",
     "New":
diff --git a/i18n/sl.json b/i18n/sl.json
index 804e5fb8..15e57289 100644
--- a/i18n/sl.json
+++ b/i18n/sl.json
@@ -31,8 +31,8 @@
         "Napačen token za izbris. Prilepek ni bil izbrisan..",
     "Paste was properly deleted.":
         "Prilepek je uspešno izbrisan.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "Da %s deluje, moraš vklopiti JavaScript.<br />Oprosti za povročene nevšečnosti.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "Da %s deluje, moraš vklopiti JavaScript. Oprosti za povročene nevšečnosti.",
     "%s requires a modern browser to work.":
         "%s za svoje delovanje potrebuje moderen brskalnik.",
     "New":
diff --git a/i18n/uk.json b/i18n/uk.json
index fd53982d..635495d3 100644
--- a/i18n/uk.json
+++ b/i18n/uk.json
@@ -31,8 +31,8 @@
         "Неправильний ключ вилучення допису. Допис не вилучено.",
     "Paste was properly deleted.":
         "Допис був вилучений повністю.",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "Для роботи %s потрібен увімкнутий JavaScript.<br />Вибачте.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "Для роботи %s потрібен увімкнутий JavaScript. Вибачте.",
     "%s requires a modern browser to work.":
         "Для роботи %s потрібен більш сучасний переглядач.",
     "New":
diff --git a/i18n/zh.json b/i18n/zh.json
index d5e55fb0..749d611a 100644
--- a/i18n/zh.json
+++ b/i18n/zh.json
@@ -31,8 +31,8 @@
         "错误的删除token，粘贴内容没有被删除。",
     "Paste was properly deleted.":
         "粘贴内容已被正确删除。",
-    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
-        "%s需要JavaScript来进行加解密。<br />给你带来的不便敬请谅解。",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.":
+        "%s需要JavaScript来进行加解密。 给你带来的不便敬请谅解。",
     "%s requires a modern browser to work.":
         "%s需要在现代浏览器上工作。",
     "New":
diff --git a/js/privatebin.js b/js/privatebin.js
index c1b016b6..4729128b 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -645,7 +645,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                 // only allow tags/attributes we actually use in translations
                 output = DOMPurify.sanitize(
                     output, {
-                        ALLOWED_TAGS: ['a', 'br', 'i', 'span'],
+                        ALLOWED_TAGS: ['a', 'i', 'span'],
                         ALLOWED_ATTR: ['href', 'id']
                     }
                 );
diff --git a/js/test/I18n.js b/js/test/I18n.js
index 6d82b63b..585ee3e5 100644
--- a/js/test/I18n.js
+++ b/js/test/I18n.js
@@ -38,7 +38,7 @@ describe('I18n', function () {
                 } else {
                     messageId = DOMPurify.sanitize(
                         messageId, {
-                            ALLOWED_TAGS: ['a', 'br', 'i', 'span'],
+                            ALLOWED_TAGS: ['a', 'i', 'span'],
                             ALLOWED_ATTR: ['href', 'id']
                         }
                     );
@@ -77,7 +77,7 @@ describe('I18n', function () {
                 postfix   =   postfix.replace(/%(s|d)/g, '%%');
                 const translation = DOMPurify.sanitize(
                     prefix + $.PrivateBin.Helper.htmlEntities(params[0]) + '<a></a>' + postfix, {
-                        ALLOWED_TAGS: ['a', 'br', 'i', 'span'],
+                        ALLOWED_TAGS: ['a', 'i', 'span'],
                         ALLOWED_ATTR: ['href', 'id']
                     }
                 );
@@ -129,7 +129,7 @@ describe('I18n', function () {
                 postfix   =   postfix.replace(/%(s|d)/g, '%%').trim();
                 const translation = DOMPurify.sanitize(
                     prefix + $.PrivateBin.Helper.htmlEntities(params[0]) + '<a></a>' + postfix, {
-                        ALLOWED_TAGS: ['a', 'br', 'i', 'span'],
+                        ALLOWED_TAGS: ['a', 'i', 'span'],
                         ALLOWED_ATTR: ['href', 'id']
                     }
                 );
diff --git a/lib/I18n.php b/lib/I18n.php
index ed1a1d98..c44b67ed 100644
--- a/lib/I18n.php
+++ b/lib/I18n.php
@@ -125,6 +125,15 @@ class I18n
         } else {
             $args[0] = self::$_translations[$messageId];
         }
+        // encode any non-integer arguments and the message ID, if it doesn't contain a link
+        $argsCount = count($args);
+        if ($argsCount > 1) {
+            for ($i = 0; $i < $argsCount; ++$i) {
+                if (($i > 0 && !is_int($args[$i])) || strpos($args[0], '<a') === false) {
+                    $args[$i] = htmlentities($args[$i], ENT_QUOTES | ENT_XHTML | ENT_DISALLOWED, 'UTF-8');
+                }
+            }
+        }
         return call_user_func_array('sprintf', $args);
     }
 
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index e7d5980e..d1e24ace 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-Q7yHFlVuPYWw/SJFiMv83PPVwGKqBwoqZhNtHAwkTIxocS6Zpqyj1I0/nUCRWv15xuurctViB3lSVs6s+7f0jw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-F6du+TJ3nokfL4mt94qSzqIXrf/dmwBMMfHwe3tDI86xE47VgwVHUC2tmbEpDQZkoydhXR+Lrnj/wCepoK144w==" crossorigin="anonymous"></script>
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
 		<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
@@ -469,7 +469,7 @@ endif;
 				<noscript>
 					<div id="noscript" role="alert" class="alert alert-<?php echo $isDark ? 'error' : 'warning'; ?>">
 						<span class="glyphicon glyphicon-exclamation-sign" aria-hidden="true"></span>
-						<?php echo I18n::_('JavaScript is required for %s to work.<br />Sorry for the inconvenience.', I18n::_($NAME)), PHP_EOL; ?>
+						<?php echo I18n::_('JavaScript is required for %s to work. Sorry for the inconvenience.', I18n::_($NAME)), PHP_EOL; ?>
 					</div>
 				</noscript>
 				<div id="oldnotice" role="alert" class="hidden alert alert-danger">
diff --git a/tpl/page.php b/tpl/page.php
index 2edbff37..cc11d8e7 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-Q7yHFlVuPYWw/SJFiMv83PPVwGKqBwoqZhNtHAwkTIxocS6Zpqyj1I0/nUCRWv15xuurctViB3lSVs6s+7f0jw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-F6du+TJ3nokfL4mt94qSzqIXrf/dmwBMMfHwe3tDI86xE47VgwVHUC2tmbEpDQZkoydhXR+Lrnj/wCepoK144w==" crossorigin="anonymous"></script>
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
 		<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
@@ -74,7 +74,7 @@ endif;
 			<h1 class="title reloadlink"><?php echo I18n::_($NAME); ?></h1><br />
 			<h2 class="title"><?php echo I18n::_('Because ignorance is bliss'); ?></h2><br />
 			<h3 class="title"><?php echo $VERSION; ?></h3>
-			<noscript><div id="noscript" class="nonworking"><?php echo I18n::_('JavaScript is required for %s to work.<br />Sorry for the inconvenience.', I18n::_($NAME)); ?></div></noscript>
+			<noscript><div id="noscript" class="nonworking"><?php echo I18n::_('JavaScript is required for %s to work. Sorry for the inconvenience.', I18n::_($NAME)); ?></div></noscript>
 			<div id="oldnotice" class="nonworking hidden"><?php echo I18n::_('%s requires a modern browser to work.', I18n::_($NAME)), PHP_EOL; ?>
 				<a href="https://www.mozilla.org/firefox/">Firefox</a>,
 				<a href="https://www.opera.com/">Opera</a>,

From 1b206e8495f86e46ec4bf404a36028f6db6c6f34 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 1 Feb 2020 09:15:14 +0100
Subject: [PATCH 3/4] ensuring consistent use of php side encoding, testing all
 encoding cases, correctly report the language in the <html> tag

---
 lib/I18n.php      | 15 ++++++++++++++-
 tpl/bootstrap.php | 10 +++++-----
 tpl/page.php      | 10 +++++-----
 tst/I18nTest.php  |  6 +++++-
 4 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/lib/I18n.php b/lib/I18n.php
index c44b67ed..174ed774 100644
--- a/lib/I18n.php
+++ b/lib/I18n.php
@@ -130,13 +130,26 @@ class I18n
         if ($argsCount > 1) {
             for ($i = 0; $i < $argsCount; ++$i) {
                 if (($i > 0 && !is_int($args[$i])) || strpos($args[0], '<a') === false) {
-                    $args[$i] = htmlentities($args[$i], ENT_QUOTES | ENT_XHTML | ENT_DISALLOWED, 'UTF-8');
+                    $args[$i] = self::encode($args[$i]);
                 }
             }
         }
         return call_user_func_array('sprintf', $args);
     }
 
+    /**
+     * encode HTML entities for output into an HTML5 document
+     *
+     * @access public
+     * @static
+     * @param  string $string
+     * @return string
+     */
+    public static function encode($string)
+    {
+        return htmlspecialchars($string, ENT_QUOTES | ENT_HTML5 | ENT_DISALLOWED, 'UTF-8', false);
+    }
+
     /**
      * loads translations
      *
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index d1e24ace..e2d9bc08 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -4,7 +4,7 @@ $isCpct = substr($template, 9, 8) === '-compact';
 $isDark = substr($template, 9, 5) === '-dark';
 $isPage = substr($template, -5) === '-page';
 ?><!DOCTYPE html>
-<html>
+<html lang="<?php echo I18n::_('en'); ?>">
 	<head>
 		<meta charset="utf-8" />
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
@@ -440,7 +440,7 @@ if (strlen($NOTICE)):
 ?>
 				<div role="alert" class="alert alert-info">
 					<span class="glyphicon glyphicon-info-sign" aria-hidden="true"></span>
-					<?php echo htmlspecialchars($NOTICE), PHP_EOL; ?>
+					<?php echo I18n::encode($NOTICE), PHP_EOL; ?>
 				</div>
 <?php
 endif;
@@ -460,11 +460,11 @@ endif;
 ?>
 				<div id="status" role="alert" class="alert alert-info<?php echo empty($STATUS) ? ' hidden' : '' ?>">
 					<span class="glyphicon glyphicon-info-sign" aria-hidden="true"></span>
-					<?php echo htmlspecialchars($STATUS), PHP_EOL; ?>
+					<?php echo I18n::encode($STATUS), PHP_EOL; ?>
 				</div>
 				<div id="errormessage" role="alert" class="<?php echo empty($ERROR) ? 'hidden' : '' ?> alert alert-danger">
 					<span class="glyphicon glyphicon-alert" aria-hidden="true"></span>
-					<?php echo htmlspecialchars($ERROR), PHP_EOL; ?>
+					<?php echo I18n::encode($ERROR), PHP_EOL; ?>
 				</div>
 				<noscript>
 					<div id="noscript" role="alert" class="alert alert-<?php echo $isDark ? 'error' : 'warning'; ?>">
@@ -504,7 +504,7 @@ endif;
 if (strlen($URLSHORTENER)):
 ?>
 					<p>
-						<button id="shortenbutton" data-shortener="<?php echo htmlspecialchars($URLSHORTENER); ?>" type="button" class="btn btn-<?php echo $isDark ? 'warning' : 'primary'; ?> btn-block">
+						<button id="shortenbutton" data-shortener="<?php echo I18n::encode($URLSHORTENER); ?>" type="button" class="btn btn-<?php echo $isDark ? 'warning' : 'primary'; ?> btn-block">
 						<span class="glyphicon glyphicon-send" aria-hidden="true"></span> <?php echo I18n::_('Shorten URL'), PHP_EOL; ?>
 					</button>
 					</p>
diff --git a/tpl/page.php b/tpl/page.php
index cc11d8e7..99f73cd5 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -1,7 +1,7 @@
 <?php
 use PrivateBin\I18n;
 ?><!DOCTYPE html>
-<html lang="en">
+<html lang="<?php echo I18n::_('en'); ?>">
 	<head>
 		<meta charset="utf-8" />
 		<meta name="robots" content="noindex" />
@@ -67,7 +67,7 @@ endif;
 <?php
 if (strlen($NOTICE)):
 ?>
-				<span class="blink">▶</span> <?php echo htmlspecialchars($NOTICE);
+				<span class="blink">▶</span> <?php echo I18n::encode($NOTICE);
 endif;
 ?>
 			</div>
@@ -97,8 +97,8 @@ endif;
 		<section>
 			<article>
 				<div id="loadingindicator" class="hidden"><?php echo I18n::_('Loading…'); ?></div>
-				<div id="status"><?php echo htmlspecialchars($STATUS); ?></div>
-				<div id="errormessage" class="hidden"><?php echo htmlspecialchars($ERROR); ?></div>
+				<div id="status"><?php echo I18n::encode($STATUS); ?></div>
+				<div id="errormessage" class="hidden"><?php echo I18n::encode($ERROR); ?></div>
 				<div id="toolbar">
 					<button id="newbutton" class="reloadlink hidden"><img src="img/icon_new.png" width="11" height="15" alt="" /><?php echo I18n::_('New'); ?></button>
 					<button id="retrybutton" class="reloadlink hidden"><?php echo I18n::_('Retry'), PHP_EOL; ?></button>
@@ -207,7 +207,7 @@ endif;
 <?php
 if (strlen($URLSHORTENER)):
 ?>
-					<button id="shortenbutton" data-shortener="<?php echo htmlspecialchars($URLSHORTENER); ?>"><img src="img/icon_shorten.png" width="13" height="15" /><?php echo I18n::_('Shorten URL'); ?></button>
+					<button id="shortenbutton" data-shortener="<?php echo I18n::encode($URLSHORTENER); ?>"><img src="img/icon_shorten.png" width="13" height="15" /><?php echo I18n::_('Shorten URL'); ?></button>
 <?php
 endif;
 ?>
diff --git a/tst/I18nTest.php b/tst/I18nTest.php
index 658ceb18..ffdc5679 100644
--- a/tst/I18nTest.php
+++ b/tst/I18nTest.php
@@ -159,7 +159,11 @@ class I18nTest extends PHPUnit_Framework_TestCase
     {
         $_SERVER['HTTP_ACCEPT_LANGUAGE'] = 'foobar';
         I18n::loadTranslations();
-        $this->assertEquals('some ' . htmlentities('&<>"\'/`=', ENT_QUOTES | ENT_XHTML | ENT_DISALLOWED, 'UTF-8') . ' + 1', I18n::_('some %s + %d', '&<>"\'/`=', 1), 'browser language en');
+        $input = '&<>"\'/`=';
+        $result = htmlspecialchars($input, ENT_QUOTES | ENT_HTML5 | ENT_DISALLOWED, 'UTF-8', false);
+        $this->assertEquals($result, I18n::encode($input), 'encodes HTML entities');
+        $this->assertEquals('<a>some ' . $result . ' + 1</a>', I18n::_('<a>some %s + %d</a>', $input, 1), 'encodes parameters in translations');
+        $this->assertEquals($result . $result, I18n::_($input . '%s', $input), 'encodes message ID as well, when no link');
     }
 
     public function testMessageIdsExistInAllLanguages()

From 21ca30af3c62dd1c6e2d8beb90f62f247d93e01f Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 1 Feb 2020 09:39:14 +0100
Subject: [PATCH 4/4] apply StyleCI recommendation

---
 tst/I18nTest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tst/I18nTest.php b/tst/I18nTest.php
index ffdc5679..7d549baa 100644
--- a/tst/I18nTest.php
+++ b/tst/I18nTest.php
@@ -159,7 +159,7 @@ class I18nTest extends PHPUnit_Framework_TestCase
     {
         $_SERVER['HTTP_ACCEPT_LANGUAGE'] = 'foobar';
         I18n::loadTranslations();
-        $input = '&<>"\'/`=';
+        $input  = '&<>"\'/`=';
         $result = htmlspecialchars($input, ENT_QUOTES | ENT_HTML5 | ENT_DISALLOWED, 'UTF-8', false);
         $this->assertEquals($result, I18n::encode($input), 'encodes HTML entities');
         $this->assertEquals('<a>some ' . $result . ' + 1</a>', I18n::_('<a>some %s + %d</a>', $input, 1), 'encodes parameters in translations');