/includes/wikiengine/TagSanitizer.php
PHP | 858 lines | 840 code | 4 blank | 14 comment | 0 complexity | dcef7b31a7103e2836399866cfb3e278 MD5 | raw file
Possible License(s): GPL-2.0
- <?php
- /*
- * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
- * Copyright (C) 2006-2009 Dan Fuhry
- *
- * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
- * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
- *
- * This script contains code originally found in MediaWiki (http://www.mediawiki.org). MediaWiki is also licensed under
- * the GPLv2 or later; see the file GPL included with this package for details.
- */
- $attrib = '[a-zA-Z0-9]';
- $space = '[\x09\x0a\x0d\x20]';
- define( 'MW_CHAR_REFS_REGEX',
- '/&([A-Za-z0-9]+);
- |&\#([0-9]+);
- |&\#x([0-9A-Za-z]+);
- |&\#X([0-9A-Za-z]+);
- |(&)/x' );
- define( 'MW_ATTRIBS_REGEX',
- "/(?:^|$space)($attrib+)
- ($space*=$space*
- (?:
- # The attribute value: quoted or alone
- \"([^<\"]*)\"
- | '([^<']*)'
- | ([a-zA-Z0-9!#$%&()*,\\-.\\/:;<>?@[\\]^_`{|}~]+)
- | (\#[0-9a-fA-F]+) # Technically wrong, but lots of
- # colors are specified like this.
- # We'll be normalizing it.
- )
- )?(?=$space|\$)/sx" );
- /**
- * Take a tag soup fragment listing an HTML element's attributes
- * and normalize it to well-formed XML, discarding unwanted attributes.
- * Output is safe for further wikitext processing, with escaping of
- * values that could trigger problems.
- *
- * - Normalizes attribute names to lowercase
- * - Discards attributes not on a whitelist for the given element
- * - Turns broken or invalid entities into plaintext
- * - Double-quotes all attribute values
- * - Attributes without values are given the name as attribute
- * - Double attributes are discarded
- * - Unsafe style attributes are discarded
- * - Prepends space if there are attributes.
- *
- * @param string $text
- * @param string $element
- * @return string
- */
- function fixTagAttributes( $text, $element ) {
- if( trim( $text ) == '' ) {
- return '';
- }
-
- $stripped = validateTagAttributes(
- decodeTagAttributes( $text ), $element );
-
- $attribs = array();
- foreach( $stripped as $attribute => $value ) {
- $encAttribute = htmlspecialchars( $attribute );
- $encValue = safeEncodeAttribute( $value );
-
- $attribs[] = "$encAttribute=".'"'."$encValue".'"'.""; // "
- }
- return count( $attribs ) ? ' ' . implode( ' ', $attribs ) : '';
- }
- /**
- * Encode an attribute value for HTML tags, with extra armoring
- * against further wiki processing.
- * @param $text
- * @return HTML-encoded text fragment
- */
- function safeEncodeAttribute( $text ) {
- $encValue= encodeAttribute( $text );
-
- # Templates and links may be expanded in later parsing,
- # creating invalid or dangerous output. Suppress this.
- $encValue = strtr( $encValue, array(
- '<' => '<', // This should never happen,
- '>' => '>', // we've received invalid input
- '"' => '"', // which should have been escaped.
- '{' => '{',
- '[' => '[',
- "''" => '''',
- 'ISBN' => 'ISBN',
- 'RFC' => 'RFC',
- 'PMID' => 'PMID',
- '|' => '|',
- '__' => '__',
- ) );
- return $encValue;
- }
- /**
- * Encode an attribute value for HTML output.
- * @param $text
- * @return HTML-encoded text fragment
- */
- function encodeAttribute( $text ) {
-
- // In Enano 1.0.3, added this cheapo hack to keep ampersands
- // from being double-sanitized. Thanks to markybob from #deluge.
-
- // htmlspecialchars() the "manual" way
- $encValue = strtr( $text, array(
- '&' => '&',
- '"' => '"',
- '<' => '<',
- '>' => '>',
- ''' => "'"
- ) );
-
- $encValue = strtr( $text, array(
- '&' => '&',
- '"' => '"',
- '<' => '<',
- '>' => '>',
- "'" => '''
- ) );
-
-
- // Whitespace is normalized during attribute decoding,
- // so if we've been passed non-spaces we must encode them
- // ahead of time or they won't be preserved.
- $encValue = strtr( $encValue, array(
- "\n" => ' ',
- "\r" => ' ',
- "\t" => '	',
- ) );
-
- return $encValue;
- }
- function unstripForHTML( $text ) {
- global $mStripState;
- $text = unstrip( $text, $mStripState );
- $text = unstripNoWiki( $text, $mStripState );
- return $text;
- }
- /**
- * Always call this after unstrip() to preserve the order
- *
- * @private
- */
- function unstripNoWiki( $text, &$state ) {
- if ( !isset( $state['nowiki'] ) ) {
- return $text;
- }
- # TODO: good candidate for FSS
- $text = strtr( $text, $state['nowiki'] );
-
- return $text;
- }
- /**
- * Take an array of attribute names and values and normalize or discard
- * illegal values for the given element type.
- *
- * - Discards attributes not on a whitelist for the given element
- * - Unsafe style attributes are discarded
- *
- * @param array $attribs
- * @param string $element
- * @return array
- *
- * @todo Check for legal values where the DTD limits things.
- * @todo Check for unique id attribute :P
- */
- function validateTagAttributes( $attribs, $element ) {
- $whitelist = array_flip( attributeWhitelist( $element ) );
- $out = array();
- foreach( $attribs as $attribute => $value ) {
- if( !isset( $whitelist[$attribute] ) ) {
- continue;
- }
- # Strip javascript "expression" from stylesheets.
- # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
- if( $attribute == 'style' ) {
- $value = checkCss( $value );
- if( $value === false ) {
- # haxx0r
- continue;
- }
- }
- if ( $attribute === 'id' )
- $value = escapeId( $value );
- // If this attribute was previously set, override it.
- // Output should only have one attribute of each name.
- $out[$attribute] = $value;
- }
- return $out;
- }
- /**
- * Pick apart some CSS and check it for forbidden or unsafe structures.
- * Returns a sanitized string, or false if it was just too evil.
- *
- * Currently URL references, 'expression', 'tps' are forbidden.
- *
- * @param string $value
- * @return mixed
- */
- function checkCss( $value ) {
- $stripped = decodeCharReferences( $value );
- // Remove any comments; IE gets token splitting wrong
- $stripped = preg_replace( '!/\\*.*?\\*/!S', '', $stripped );
- $value = $stripped;
- // ... and continue checks
- $stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
- 'codepointToUtf8(hexdec("$1"))', $stripped );
- $stripped = str_replace( '\\', '', $stripped );
- if( preg_match( '/(expression|tps*:\/\/|url\\s*\().*/is',
- $stripped ) ) {
- # haxx0r
- return false;
- }
-
- return $value;
- }
- /**
- * Decode any character references, numeric or named entities,
- * in the text and return a UTF-8 string.
- *
- * @param string $text
- * @return string
- * @access public
- * @static
- */
- function decodeCharReferences( $text ) {
- return preg_replace_callback(
- MW_CHAR_REFS_REGEX,
- 'decodeCharReferencesCallback',
- $text );
- }
- /**
- * Fetch the whitelist of acceptable attributes for a given
- * element name.
- *
- * @param string $element
- * @return array
- */
- function attributeWhitelist( $element ) {
- static $list;
- if( !isset( $list ) ) {
- $list = setupAttributeWhitelist();
- }
- return isset( $list[$element] )
- ? $list[$element]
- : array();
- }
- /**
- * @todo Document it a bit
- * @return array
- */
- function setupAttributeWhitelist() {
- global $db, $session, $paths, $template, $plugins;
- $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' );
- $block = array_merge( $common, array( 'align' ) );
- $tablealign = array( 'align', 'char', 'charoff', 'valign' );
- $tablecell = array( 'abbr',
- 'axis',
- 'headers',
- 'scope',
- 'rowspan',
- 'colspan',
- 'nowrap', # deprecated
- 'width', # deprecated
- 'height', # deprecated
- 'bgcolor' # deprecated
- );
- # Numbers refer to sections in HTML 4.01 standard describing the element.
- # See: http://www.w3.org/TR/html4/
- $whitelist = array (
- # 7.5.4
- 'div' => $block,
- 'center' => $common, # deprecated
- 'span' => $block, # ??
- # 7.5.5
- 'h1' => $block,
- 'h2' => $block,
- 'h3' => $block,
- 'h4' => $block,
- 'h5' => $block,
- 'h6' => $block,
- # 7.5.6
- # address
- # 8.2.4
- # bdo
- # 9.2.1
- 'em' => $common,
- 'strong' => $common,
- 'cite' => $common,
- # dfn
- 'code' => $common,
- # samp
- # kbd
- 'var' => $common,
- # abbr
- # acronym
- # 9.2.2
- 'blockquote' => array_merge( $common, array( 'cite' ) ),
- # q
- # 9.2.3
- 'sub' => $common,
- 'sup' => $common,
- # 9.3.1
- 'p' => $block,
- # 9.3.2
- 'br' => array( 'id', 'class', 'title', 'style', 'clear' ),
- # 9.3.4
- 'pre' => array_merge( $common, array( 'width' ) ),
- # 9.4
- 'ins' => array_merge( $common, array( 'cite', 'datetime' ) ),
- 'del' => array_merge( $common, array( 'cite', 'datetime' ) ),
- # 10.2
- 'ul' => array_merge( $common, array( 'type' ) ),
- 'ol' => array_merge( $common, array( 'type', 'start' ) ),
- 'li' => array_merge( $common, array( 'type', 'value' ) ),
- # 10.3
- 'dl' => $common,
- 'dd' => $common,
- 'dt' => $common,
- # 11.2.1
- 'table' => array_merge( $common,
- array( 'summary', 'width', 'border', 'frame',
- 'rules', 'cellspacing', 'cellpadding',
- 'align', 'bgcolor',
- ) ),
- # 11.2.2
- 'caption' => array_merge( $common, array( 'align' ) ),
- # 11.2.3
- 'thead' => array_merge( $common, $tablealign ),
- 'tfoot' => array_merge( $common, $tablealign ),
- 'tbody' => array_merge( $common, $tablealign ),
- # 11.2.4
- 'colgroup' => array_merge( $common, array( 'span', 'width' ), $tablealign ),
- 'col' => array_merge( $common, array( 'span', 'width' ), $tablealign ),
- # 11.2.5
- 'tr' => array_merge( $common, array( 'bgcolor' ), $tablealign ),
- # 11.2.6
- 'td' => array_merge( $common, $tablecell, $tablealign ),
- 'th' => array_merge( $common, $tablecell, $tablealign ),
-
- # 12.2
- # added by dan
- 'a' => array_merge( $common, array( 'href', 'name' ) ),
-
- # 13.2
- # added by dan
- 'img' => array_merge( $common, array( 'src', 'width', 'height', 'alt' ) ),
- # 15.2.1
- 'tt' => $common,
- 'b' => $common,
- 'i' => $common,
- 'big' => $common,
- 'small' => $common,
- 'strike' => $common,
- 's' => $common,
- 'u' => $common,
- # 15.2.2
- 'font' => array_merge( $common, array( 'size', 'color', 'face' ) ),
- # basefont
- # 15.3
- 'hr' => array_merge( $common, array( 'noshade', 'size', 'width' ) ),
- # XHTML Ruby annotation text module, simple ruby only.
- # http://www.w3c.org/TR/ruby/
- 'ruby' => $common,
- # rbc
- # rtc
- 'rb' => $common,
- 'rt' => $common, #array_merge( $common, array( 'rbspan' ) ),
- 'rp' => $common,
-
- # For compatibility with the XHTML parser.
- 'nowiki' => array(),
- 'noinclude' => array(),
- 'nodisplay' => array(),
- 'lang' => array('code'),
-
- # XHTML stuff
- 'acronym' => $common
- );
-
- // custom tags can be added by plugins
- $code = $plugins->setHook('html_attribute_whitelist');
- foreach ( $code as $cmd )
- {
- eval($cmd);
- }
-
- return $whitelist;
- }
- /**
- * Given a value escape it so that it can be used in an id attribute and
- * return it, this does not validate the value however (see first link)
- *
- * @link http://www.w3.org/TR/html401/types.html#type-name Valid characters
- * in the id and
- * name attributes
- * @link http://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with the id attribute
- *
- * @bug 4461
- *
- * @static
- *
- * @param string $id
- * @return string
- */
- function escapeId( $id ) {
- static $replace = array(
- '%3A' => ':',
- '%' => '.'
- );
- $id = urlencode( decodeCharReferences( strtr( $id, ' ', '_' ) ) );
- return str_replace( array_keys( $replace ), array_values( $replace ), $id );
- }
- /**
- * More or less "markup-safe" explode()
- * Ignores any instances of the separator inside <...>
- * @param string $separator
- * @param string $text
- * @return array
- */
- function wfExplodeMarkup( $separator, $text ) {
- $placeholder = "\x00";
-
- // Just in case...
- $text = str_replace( $placeholder, '', $text );
-
- // Trim stuff
- $replacer = new ReplacerCallback( $separator, $placeholder );
- $cleaned = preg_replace_callback( '/(<.*?>)/', array( $replacer, 'go' ), $text );
-
- $items = explode( $separator, $cleaned );
- foreach( $items as $i => $str ) {
- $items[$i] = str_replace( $placeholder, $separator, $str );
- }
-
- return $items;
- }
- class ReplacerCallback {
- function ReplacerCallback( $from, $to ) {
- $this->from = $from;
- $this->to = $to;
- }
-
- function go( $matches ) {
- return str_replace( $this->from, $this->to, $matches[1] );
- }
- }
- /**
- * Return an associative array of attribute names and values from
- * a partial tag string. Attribute names are forces to lowercase,
- * character references are decoded to UTF-8 text.
- *
- * @param string
- * @return array
- */
- function decodeTagAttributes( $text ) {
- $attribs = array();
- if( trim( $text ) == '' ) {
- return $attribs;
- }
- $pairs = array();
- if( !preg_match_all(
- MW_ATTRIBS_REGEX,
- $text,
- $pairs,
- PREG_SET_ORDER ) ) {
- return $attribs;
- }
- foreach( $pairs as $set ) {
- $attribute = strtolower( $set[1] );
- $value = getTagAttributeCallback( $set );
-
- // Normalize whitespace
- $value = preg_replace( '/[\t\r\n ]+/', ' ', $value );
- $value = trim( $value );
-
- // Decode character references
- $attribs[$attribute] = decodeCharReferences( $value );
- }
- return $attribs;
- }
- /**
- * Pick the appropriate attribute value from a match set from the
- * MW_ATTRIBS_REGEX matches.
- *
- * @param array $set
- * @return string
- * @access private
- */
- function getTagAttributeCallback( $set ) {
- if( isset( $set[6] ) ) {
- # Illegal #XXXXXX color with no quotes.
- return $set[6];
- } elseif( isset( $set[5] ) ) {
- # No quotes.
- return $set[5];
- } elseif( isset( $set[4] ) ) {
- # Single-quoted
- return $set[4];
- } elseif( isset( $set[3] ) ) {
- # Double-quoted
- return $set[3];
- } elseif( !isset( $set[2] ) ) {
- # In XHTML, attributes must have a value.
- # For 'reduced' form, return explicitly the attribute name here.
- return $set[1];
- } else {
- die_friendly('Parser error', "<p>Tag conditions not met. This should never happen and is a bug.</p>" );
- }
- }
- /**
- * Strips and renders nowiki, pre, math, hiero
- * If $render is set, performs necessary rendering operations on plugins
- * Returns the text, and fills an array with data needed in unstrip()
- * If the $state is already a valid strip state, it adds to the state
- *
- * @param bool $stripcomments when set, HTML comments <!-- like this -->
- * will be stripped in addition to other tags. This is important
- * for section editing, where these comments cause confusion when
- * counting the sections in the wikisource
- *
- * @param array dontstrip contains tags which should not be stripped;
- * used to prevent stipping of <gallery> when saving (fixes bug 2700)
- *
- * @access private
- */
- function mwStrip( $text, &$state, $stripcomments = false , $dontstrip = array () ) {
- global $wgRandomKey;
- $render = true;
- $wgRandomKey = "\x07UNIQ" . dechex(mt_rand(0, 0x7fffffff)) . dechex(mt_rand(0, 0x7fffffff));
- $uniq_prefix =& $wgRandomKey;
- $commentState = array();
-
- $elements = array( 'nowiki', 'gallery' );
-
- # Removing $dontstrip tags from $elements list (currently only 'gallery', fixing bug 2700)
- foreach ( $elements AS $k => $v ) {
- if ( !in_array ( $v , $dontstrip ) ) continue;
- unset ( $elements[$k] );
- }
-
- $matches = array();
- $text = extractTagsAndParams( $elements, $text, $matches, $uniq_prefix );
- foreach( $matches as $marker => $data ) {
- list( $element, $content, $params, $tag ) = $data;
- if( $render ) {
- $tagName = strtolower( $element );
- switch( $tagName ) {
- case '!--':
- // Comment
- if( substr( $tag, -3 ) == '-->' ) {
- $output = $tag;
- } else {
- // Unclosed comment in input.
- // Close it so later stripping can remove it
- $output = "$tag-->";
- }
- break;
- case 'html':
- if( $wgRawHtml ) {
- $output = $content;
- break;
- }
- // Shouldn't happen otherwise. :)
- case 'nowiki':
- $output = wfEscapeHTMLTagsOnly( $content );
- break;
- default:
- }
- } else {
- // Just stripping tags; keep the source
- $output = $tag;
- }
- // Unstrip the output, because unstrip() is no longer recursive so
- // it won't do it itself
- $output = unstrip( $output, $state );
- if( !$stripcomments && $element == '!--' ) {
- $commentState[$marker] = $output;
- } elseif ( $element == 'html' || $element == 'nowiki' ) {
- $state['nowiki'][$marker] = $output;
- } else {
- $state['general'][$marker] = $output;
- }
- }
- # Unstrip comments unless explicitly told otherwise.
- # (The comments are always stripped prior to this point, so as to
- # not invoke any extension tags / parser hooks contained within
- # a comment.)
- if ( !$stripcomments ) {
- // Put them all back and forget them
- $text = strtr( $text, $commentState );
- }
- return $text;
- }
- /**
- * Replaces all occurrences of HTML-style comments and the given tags
- * in the text with a random marker and returns teh next text. The output
- * parameter $matches will be an associative array filled with data in
- * the form:
- * 'UNIQ-xxxxx' => array(
- * 'element',
- * 'tag content',
- * array( 'param' => 'x' ),
- * '<element param="x">tag content</element>' ) )
- *
- * @param $elements list of element names. Comments are always extracted.
- * @param $text Source text string.
- * @param $uniq_prefix
- *
- * @access private
- * @static
- */
- function extractTagsAndParams($elements, $text, &$matches, $uniq_prefix = ''){
- static $n = 1;
- $stripped = '';
- $matches = array();
- $taglist = implode( '|', $elements );
- $start = "/<($taglist)(\\s+[^>]*?|\\s*?)(\/?>)|<(!--)/i";
- while ( '' != $text ) {
- $p = preg_split( $start, $text, 2, PREG_SPLIT_DELIM_CAPTURE );
- $stripped .= $p[0];
- if( count( $p ) < 5 ) {
- break;
- }
- if( count( $p ) > 5 ) {
- // comment
- $element = $p[4];
- $attributes = '';
- $close = '';
- $inside = $p[5];
- } else {
- // tag
- $element = $p[1];
- $attributes = $p[2];
- $close = $p[3];
- $inside = $p[4];
- }
- $marker = "$uniq_prefix-$element-" . sprintf('%08X', $n++) . '-QINU';
- $stripped .= $marker;
- if ( $close === '/>' ) {
- // Empty element tag, <tag />
- $content = null;
- $text = $inside;
- $tail = null;
- } else {
- if( $element == '!--' ) {
- $end = '/(-->)/';
- } else {
- $end = "/(<\\/$element\\s*>)/i";
- }
- $q = preg_split( $end, $inside, 2, PREG_SPLIT_DELIM_CAPTURE );
- $content = $q[0];
- if( count( $q ) < 3 ) {
- # No end tag -- let it run out to the end of the text.
- $tail = '';
- $text = '';
- } else {
- $tail = $q[1];
- $text = $q[2];
- }
- }
-
- $matches[$marker] = array( $element,
- $content,
- decodeTagAttributes( $attributes ),
- "<$element$attributes$close$content$tail" );
- }
- return $stripped;
- }
- /**
- * Escape html tags
- * Basically replacing " > and < with HTML entities ( ", >, <)
- *
- * @param $in String: text that might contain HTML tags.
- * @return string Escaped string
- */
- function wfEscapeHTMLTagsOnly( $in ) {
- return str_replace(
- array( '"', '>', '<' ),
- array( '"', '>', '<' ),
- $in );
- }
- /**
- * Restores pre, math, and other extensions removed by strip()
- *
- * always call unstripNoWiki() after this one
- * @private
- */
- function unstrip( $text, &$state ) {
- if ( !isset( $state['general'] ) ) {
- return $text;
- }
- # TODO: good candidate for FSS
- $text = strtr( $text, $state['general'] );
-
- return $text;
- }
- /**
- * Return UTF-8 string for a codepoint if that is a valid
- * character reference, otherwise U+FFFD REPLACEMENT CHARACTER.
- * @param int $codepoint
- * @return string
- * @private
- */
- function decodeChar( $codepoint ) {
- if( validateCodepoint( $codepoint ) ) {
- return codepointToUtf8( $codepoint );
- } else {
- return UTF8_REPLACEMENT;
- }
- }
- /**
- * If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD,
- * return the UTF-8 encoding of that character. Otherwise, returns
- * pseudo-entity source (eg &foo;)
- *
- * @param string $name
- * @return string
- */
- function decodeEntity( $name ) {
- global $wgHtmlEntities;
- if( isset( $wgHtmlEntities[$name] ) ) {
- return codepointToUtf8( $wgHtmlEntities[$name] );
- } else {
- return "&$name;";
- }
- }
- /**
- * Returns true if a given Unicode codepoint is a valid character in XML.
- * @param int $codepoint
- * @return bool
- */
- function validateCodepoint( $codepoint ) {
- return ($codepoint == 0x09)
- || ($codepoint == 0x0a)
- || ($codepoint == 0x0d)
- || ($codepoint >= 0x20 && $codepoint <= 0xd7ff)
- || ($codepoint >= 0xe000 && $codepoint <= 0xfffd)
- || ($codepoint >= 0x10000 && $codepoint <= 0x10ffff);
- }
-
- /**
- * Return UTF-8 sequence for a given Unicode code point.
- * May die if fed out of range data.
- *
- * @param $codepoint Integer:
- * @return String
- * @public
- */
- function codepointToUtf8( $codepoint ) {
- if($codepoint < 0x80) return chr($codepoint);
- if($codepoint < 0x800) return chr($codepoint >> 6 & 0x3f | 0xc0) .
- chr($codepoint & 0x3f | 0x80);
- if($codepoint < 0x10000) return chr($codepoint >> 12 & 0x0f | 0xe0) .
- chr($codepoint >> 6 & 0x3f | 0x80) .
- chr($codepoint & 0x3f | 0x80);
- if($codepoint < 0x110000) return chr($codepoint >> 18 & 0x07 | 0xf0) .
- chr($codepoint >> 12 & 0x3f | 0x80) .
- chr($codepoint >> 6 & 0x3f | 0x80) .
- chr($codepoint & 0x3f | 0x80);
- echo "Asked for code outside of range ($codepoint)\n";
- die( -1 );
- }
- /**
- * @param string $matches
- * @return string
- */
- function decodeCharReferencesCallback( $matches ) {
- if( $matches[1] != '' ) {
- return decodeEntity( $matches[1] );
- } elseif( $matches[2] != '' ) {
- return decodeChar( intval( $matches[2] ) );
- } elseif( $matches[3] != '' ) {
- return decodeChar( hexdec( $matches[3] ) );
- } elseif( $matches[4] != '' ) {
- return decodeChar( hexdec( $matches[4] ) );
- }
- # Last case should be an ampersand by itself
- return $matches[0];
- }