Ensure that purify isn't applied twice for an already purified SafeString

2 files changed, 14 insertions, 2 deletions

diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php
index 800647fa..e6f54add 100644
--- a/modules/gallery/libraries/SafeString.php
+++ b/modules/gallery/libraries/SafeString.php
@@ -51,7 +51,11 @@ class SafeString_Core {
    */
   static function purify($string) {
     if ($string instanceof SafeString) {
-      $string = $string->unescaped();
+      if ($string->_is_purified_html) {
+        return $string;
+      } else {
+        $string = $string->unescaped();
+      }
     }
     $safe_string = self::of_safe_html(self::_purify_for_html($string));
     $safe_string->_is_purified_html = true;
diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php
index 37a1865f..57ac87b9 100644
--- a/modules/gallery/tests/SafeString_Test.php
+++ b/modules/gallery/tests/SafeString_Test.php
@@ -93,7 +93,15 @@ class SafeString_Test extends Unit_Test_Case {
     $safe_string = SafeString::purify("hello <p  >world</p>");
     $expected =
       module::is_active("htmlpurifier") ? "hello <p>world</p>" : "hello &lt;p  &gt;world&lt;/p&gt;";
-    $this->assert_equal($expected, $safe_string->unescaped());
+    $this->assert_equal($expected, $safe_string);
+  }
+
+  public function purify_twice_test() {
+    $safe_string = SafeString::purify("hello <p  >world</p>");
+    $safe_string_2 = SafeString::purify($safe_string);
+    $expected =
+      module::is_active("htmlpurifier") ? "hello <p>world</p>" : "hello &lt;p  &gt;world&lt;/p&gt;";
+    $this->assert_equal($expected, $safe_string_2);
   }
 
   public function of_fluid_api_test() {