added unescapeString method to unescape data in raw view

Author: lukasbecvar

src/Controller/PasteController.php

@@ -3,6 +3,7 @@
 namespace App\Controller;
 
 use Exception;
+use App\Util\SecurityUtil;
 use App\Manager\PasteManager;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -18,10 +19,12 @@
  */
 class PasteController extends AbstractController
 {
+    private SecurityUtil $securityUtil;
     private PasteManager $pasteManager;
 
-    public function __construct(PasteManager $pasteManager)
+    public function __construct(SecurityUtil $securityUtil, PasteManager $pasteManager)
     {
+        $this->securityUtil = $securityUtil;
         $this->pasteManager = $pasteManager;
     }
 
@@ -107,6 +110,9 @@ public function raw(Request $request): Response
         // get paste content
         $paste = $this->pasteManager->getPaste($pasteFile);
 
+        // unescape HTML entities to show original content
+        $paste = $this->securityUtil->unescapeString($paste ?? '');
+
         // return raw content
         $response = new Response($paste);
         $response->headers->set('Content-Type', 'text/plain; charset=UTF-8');

src/Util/SecurityUtil.php

@@ -23,6 +23,18 @@ public function escapeString(string $string): ?string
         return htmlspecialchars($string, ENT_QUOTES | ENT_HTML5);
     }
 
+    /**
+     * Unescape HTML entities back to their original characters
+     *
+     * @param string $string The input string to unescape
+     *
+     * @return string The unescaped string
+     */
+    public function unescapeString(string $string): string
+    {
+        return htmlspecialchars_decode($string, ENT_QUOTES | ENT_HTML5);
+    }
+
     /**
      * Encrypt string using AES encryption
      *

tests/Controller/PasteControllerTest.php

@@ -92,9 +92,15 @@ public function testRawViewPaste(): void
     {
         $this->client->request('GET', '/raw?f=zSc0Uh8L1gsA7a6u');
 
+        // get response content
+        $content = $this->client->getResponse()->getContent();
+
         // assert response
+        $this->assertNotEmpty($content);
         $this->assertResponseStatusCodeSame(Response::HTTP_OK);
+        $this->assertStringNotContainsString('<', $content);
+        $this->assertStringNotContainsString('>', $content);
+        $this->assertStringNotContainsString('"', $content);
         $this->assertResponseHeaderSame('Content-Type', 'text/plain; charset=UTF-8');
-        $this->assertNotEmpty($this->client->getResponse()->getContent());
     }
 }

tests/Util/SecurityUtilTest.php

@@ -38,6 +38,20 @@ public function testEscapeString(): void
         $this->assertEquals($expectedOutput, $this->securityUtil->escapeString($input));
     }
 
+    /**
+     * Test unescape HTML entities
+     *
+     * @return void
+     */
+    public function testUnescapeString(): void
+    {
+        $escapedString = '<script>alert("xss")</script>';
+        $expectedOutput = '<script>alert("xss")</script>';
+
+        // assert result
+        $this->assertEquals($expectedOutput, $this->securityUtil->unescapeString($escapedString));
+    }
+
     /**
      * Test encrypt AES
      *