Merge branch '4.0' into 'main'

thorsten · thorsten · commit 1bad701f4a0d · 2025-11-01T16:43:27.000+01:00
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/UserController.php b/phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/UserController.php
@@ -317,7 +317,7 @@ public function addUser(Request $request): JsonResponse
         $errorMessage = [];
 
         $userName = Filter::filterVar($data->userName, FILTER_SANITIZE_SPECIAL_CHARS);
-        $userRealName = Filter::filterVar($data->realName, FILTER_SANITIZE_SPECIAL_CHARS);
+        $userRealName = trim(strip_tags((string) $data->realName));
         $userEmail = Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL);
         $automaticPassword = Filter::filterVar($data->automaticPassword, FILTER_VALIDATE_BOOLEAN);
         $userPassword = Filter::filterVar($data->password, FILTER_SANITIZE_SPECIAL_CHARS);
@@ -391,7 +391,7 @@ public function editUser(Request $request): JsonResponse
         }
 
         $userData = [];
-        $userData['display_name'] = Filter::filterVar($data->display_name, FILTER_SANITIZE_SPECIAL_CHARS);
+        $userData['display_name'] = trim(strip_tags((string) $data->display_name));
         $userData['email'] = Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL);
         $userData['last_modified'] = Filter::filterVar($data->last_modified, FILTER_SANITIZE_SPECIAL_CHARS);
         $userStatus = Filter::filterVar($data->user_status, FILTER_SANITIZE_SPECIAL_CHARS, 'active');
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Frontend/RegistrationController.php b/phpmyfaq/src/phpMyFAQ/Controller/Frontend/RegistrationController.php
@@ -40,7 +40,7 @@ public function create(Request $request): JsonResponse
 
         $data = json_decode($request->getContent(), false, 512, JSON_THROW_ON_ERROR);
 
-        $fullName = trim((string) Filter::filterVar($data->realname, FILTER_SANITIZE_SPECIAL_CHARS));
+        $fullName = trim(strip_tags((string) $data->realname));
         $userName = trim((string) Filter::filterVar($data->name, FILTER_SANITIZE_SPECIAL_CHARS));
         $email = trim((string) Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL));
         $isVisible = Filter::filterVar($data->isVisible, FILTER_SANITIZE_SPECIAL_CHARS) ?? false;
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Frontend/UserController.php b/phpmyfaq/src/phpMyFAQ/Controller/Frontend/UserController.php
@@ -54,7 +54,7 @@ public function updateData(Request $request): JsonResponse
         }
 
         $userId = Filter::filterVar($data->userid, FILTER_VALIDATE_INT);
-        $userName = trim((string) Filter::filterVar($data->name, FILTER_SANITIZE_SPECIAL_CHARS));
+        $userName = trim(strip_tags((string) $data->name));
         $email = Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL);
         $isVisible = Filter::filterVar($data->{'is_visible'}, FILTER_SANITIZE_SPECIAL_CHARS);
         $password = trim((string) Filter::filterVar($data->faqpassword, FILTER_SANITIZE_SPECIAL_CHARS));
diff --git a/phpmyfaq/src/phpMyFAQ/User/UserData.php b/phpmyfaq/src/phpMyFAQ/User/UserData.php
@@ -80,6 +80,15 @@ public function get(mixed $field): mixed
 
         $array = $this->configuration->getDb()->fetchArray($res);
 
+        // Decode HTML entities in display_name for backward compatibility
+        if (isset($array['display_name'])) {
+            $array['display_name'] = html_entity_decode(
+                $array['display_name'],
+                ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE,
+                'UTF-8',
+            );
+        }
+
         return $singleReturn && $field != '*' ? $array[$field] : $array;
     }
 
diff --git a/tests/phpMyFAQ/User/UserDataTest.php b/tests/phpMyFAQ/User/UserDataTest.php
@@ -118,4 +118,26 @@ public function testEmailExistsReturnsFalseForEmptyEmail(): void
         $result = $this->userData->emailExists('');
         $this->assertFalse($result);
     }
+
+    public function testGetDecodesHtmlEntitiesInDisplayName(): void
+    {
+        $this->database->method('query')->willReturn(true);
+        $this->database->method('numRows')->willReturn(1);
+        $this->database->method('fetchArray')->willReturn(['display_name' => 'J&uuml;rgen']);
+
+        $this->userData->load(1);
+        $result = $this->userData->get('display_name');
+        $this->assertEquals('Jürgen', $result);
+    }
+
+    public function testGetPreservesPlainUtf8InDisplayName(): void
+    {
+        $this->database->method('query')->willReturn(true);
+        $this->database->method('numRows')->willReturn(1);
+        $this->database->method('fetchArray')->willReturn(['display_name' => 'Jürgen']);
+
+        $this->userData->load(1);
+        $result = $this->userData->get('display_name');
+        $this->assertEquals('Jürgen', $result);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ public function updateData(Request $request): JsonResponse`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`$userId = Filter::filterVar($data->userid, FILTER_VALIDATE_INT);`
`57`		`- $userName = trim((string) Filter::filterVar($data->name, FILTER_SANITIZE_SPECIAL_CHARS));`
	`57`	`+ $userName = trim(strip_tags((string) $data->name));`
`58`	`58`	`$email = Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL);`
`59`	`59`	`$isVisible = Filter::filterVar($data->{'is_visible'}, FILTER_SANITIZE_SPECIAL_CHARS);`
`60`	`60`	`$password = trim((string) Filter::filterVar($data->faqpassword, FILTER_SANITIZE_SPECIAL_CHARS));`