CakePHP 1.3 warning array_merge sanitize

Question

I'm using CakePHP 1.3.7 and ran into a very specific issue.

The Sanitize core class method used in my application is the one of version 1.2. When I want to save particular data, it gives me a warning :

Warning: array_merge(): Argument #2 is not an array in /usr/share/php/cake/libs/sanitize.php on line 113

but it does save, and with the right encoding/format.

Here's the method who causes this warning (version 1.2, which is NOT on line 113, but I'll come to that later)

    function html($string, $remove = false) {
    if ($remove) {
        $string = strip_tags($string);
    } else {
        $patterns = array("/\&/", "/%/", "/</", "/>/", '/"/', "/'/", "/\(/", "/\)/", "/\+/", "/-/");
        $replacements = array("&amp;", "&#37;", "&lt;", "&gt;", "&quot;", "&#39;", "&#40;", "&#41;", "&#43;", "&#45;");
        $string = preg_replace($patterns, $replacements, $string);
    }
    return $string;
}

And here's how this method is called

$value = Sanitize::html($value,true);

Now as you can see, array_merge() is not called in this method, but if I replace the html() method by the 1.3 version

    function html($string, $options = array()) {
    static $defaultCharset = false;
    if ($defaultCharset === false) {
        $defaultCharset = Configure::read('App.encoding');
        if ($defaultCharset === null) {
            $defaultCharset = 'UTF-8';
        }
    }
    $default = array(
        'remove' => false,
        'charset' => $defaultCharset,
        'quotes' => ENT_QUOTES
    );

    $options = array_merge($default, $options);

    if ($options['remove']) {
        $string = strip_tags($string);
    }

    return htmlentities($string, $options['quotes'], $options['charset']);
}

array_merge() falls exactly on line 113.

If I now call html() this way

$value = Sanitize::html($value,array('remove' => true));

I don't get the warning anymore. However, my data doesn't save with the right encoding/format anymore.

Here's an example of text I need to save (it is french and needs UTF-8 encoding)

L'envoi d'une communication & à la fenêtre

I can't overcome this doing

$value = Sanitize::html($value,array('remove' => true, 'quotes' => ENT_HTML401));

because I'm using PHP 5.3.6 thus I can't use the constant ENT_HTML401

If I use another constant like ENT_NOQUOTES, it ignores the quotes (obviously) but not the french accents and other special chars, which is intented to work this way but I want to save the text exactly like I quoted (or at least read it).

I'm guessing I wouldn't need to use htmlentities, but I think it is safer to and updating the core method is the only way I found to not get the warning. I also suppose I should not really modify these files other than for updating them?

So, briefly, I want to :

• Get rid of the warning
• Save/read data in the right format

I might have forgotten some infos, thanks

Answer 1

I ended up updating the html() method of the Sanitize class to match version 1.3 as follow

    function html($string, $options = array()) {
    static $defaultCharset = false;
    if ($defaultCharset === false) {
        $defaultCharset = Configure::read('App.encoding');
        if ($defaultCharset === null) {
            $defaultCharset = 'UTF-8';
        }
    }
    $default = array(
        'remove' => false,
        'charset' => $defaultCharset,
        'quotes' => ENT_QUOTES
    );

    $options = array_merge($default, $options);

    if ($options['remove']) {
        $string = strip_tags($string);
    }

    return htmlentities($string, $options['quotes'], $options['charset']);
}

I call it like this

$value = Sanitize::html($value, array('remove'=>true,'quotes'=>ENT_NOQUOTES));

And I simply decode the text fields this way whenever I read their value from database

$data['Model']['field'] = html_entity_decode($data['Model']['field'], ENT_NOQUOTES, "UTF-8");

---

EDIT : I had to undo what I described above because the way data was encoded in the 1.3 version of the function made it so we had to decode the data in the whole application when reading it.

Also, I am NOT using CakePHP 1.3.7 (got confused with cake console); I'm using 1.2.4 so updating the function was not appropriate afterall.

I kept the version 1.2 and this time I simply changed the second parameter to an array as follow and it seemed to do the trick as I'm not getting the warning anymore.

    function html($string, $options = array()) {
    if ($options['remove']) {
        $string = strip_tags($string);
    } else {
        $patterns = array("/\&/", "/%/", "/</", "/>/", '/"/', "/'/", "/\(/", "/\)/", "/\+/", "/-/");
        $replacements = array("&amp;", "&#37;", "&lt;", "&gt;", "&quot;", "&#39;", "&#40;", "&#41;", "&#43;", "&#45;");
        $string = preg_replace($patterns, $replacements, $string);
    }
    return $string;
}