From 1f625787b63ff589afb69f4ee6b4def80c0156ae Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Wed, 16 Apr 2014 10:37:42 -0500
Subject: [PATCH] html: Avoid corrupting quoted style attributes

For instance, current this style we be converted as
```
<span style="font-family:'courier new';">
```
to
```
<span style="font-family:&quot;">
```

Also discard Microsoft Office specific style attributes such as `mso-list`
and friends
---
 include/class.format.php | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/include/class.format.php b/include/class.format.php
index e3f7b415a..826172647 100644
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -177,14 +177,16 @@ class Format {
         }
         // Clean browser-specific style attributes
         if (isset($attributes['style'])) {
-            $styles = explode(';', $attributes['style']);
-            foreach ($styles as $i=>$s) {
+            $styles = explode(';', html_entity_decode($attributes['style']));
+            foreach ($styles as $i=>&$s) {
                 @list($prop, $val) = explode(':', $s);
-                if (!$val || !$prop || $prop[0] == '-')
+                if (!$val || !$prop || $prop[0] == '-' || substr($prop, 0, 4) == 'mso-')
                     unset($styles[$i]);
+                if (!strpos($val, ' '))
+                    $s = str_replace('"','', $s);
             }
             if ($styles)
-                $attributes['style'] = implode(';', $styles);
+                $attributes['style'] = Format::htmlencode(implode(';', $styles));
             else
                 unset($attributes['style']);
         }
@@ -246,7 +248,7 @@ class Format {
     }
 
     function htmlencode($var) {
-        $flags = ENT_COMPAT | ENT_QUOTES;
+        $flags = ENT_COMPAT;
         if (phpversion() >= '5.4.0')
             $flags |= ENT_HTML401;
 
-- 
GitLab