Properly escape \n and \r in IRCColourfulRCFeedFormatter

Right now it is possible to emit a raw \n or \r to the UDP feed by
encoding it as an HTML entity, e.g. 
 This could be used for
arbitrary IRC command execution in bots which do not subsequently
perform their own escaping. This commit changes it so that entities are
decoded first before \n and \r are stripped.

Change-Id: I3f7005abded3fbafb586754d763a00a4018f0954

diff --git a/includes/rcfeed/IRCColourfulRCFeedFormatter.php b/includes/rcfeed/IRCColourfulRCFeedFormatter.php
index 30be343..0efcebf 100644 (file)
--- a/includes/rcfeed/IRCColourfulRCFeedFormatter.php
+++ b/includes/rcfeed/IRCColourfulRCFeedFormatter.php
@@ -123,10 +123,10 @@ class IRCColourfulRCFeedFormatter implements RCFeedFormatter {
         * @return string
         */
        public static function cleanupForIRC( $text ) {
-               return Sanitizer::decodeCharReferences( str_replace(
+               return str_replace(
                        array( "\n", "\r" ),
                        array( " ", "" ),
-                       $text
-               ) );
+                       Sanitizer::decodeCharReferences( $text )
+               );
        }
 }