Bugfix: Allow UTF-8 in user instructions. Fixes #3360

functions/classes/class.Common.php

@@ -640,6 +640,12 @@ class Common_functions  {
 		if (!is_string($html) || strlen($html)==0)
 			return "";
 
+		// Convert encoding to UTF-8
+		$html = mb_convert_encoding($html, 'HTML-ENTITIES', 'UTF-8');
+
+		// Throw loadHTML() parsing errors
+		$err_mode = libxml_use_internal_errors(false);
+
 		try {
 			$dom = new \DOMDocument();
 
@@ -651,9 +657,7 @@ class Common_functions  {
 
 			$elements = $dom->getElementsByTagName('*');
 
-			if (!is_object($elements) || $elements->length==0)
-				return $html;  // no HTML elements
-
+			if (is_object($elements) && $elements->length>0) {
 				foreach($elements as $e) {
 					if (in_array($e->nodeName, $banned_elements)) {
 						$remove_elements[] = $e;
@@ -676,12 +680,15 @@ class Common_functions  {
 
 				// Return sanitised HTML
 				$html = $dom->saveHTML();
-
-			return is_string($html) ? $html : "";
-
+			}
 		} catch (Exception $e) {
-			return "";
+			$html = "";
 		}
+
+		// restore error mode
+		libxml_use_internal_errors($err_mode);
+
+		return is_string($html) ? $html : "";
 	}
 
 	/**

misc/CHANGELOG

@@ -71,7 +71,7 @@
     + SQL injections processing `ftype` (#2751);
     + All circuits map, PHP object injection (#2937);
     + Upgraded jQuery to 3.5.1 (#3119);
-    + Stored XSS in instructions widgets (#3025);
+    + Stored XSS in instructions widgets (#3025, #3360);
     + PHP session ID fixation (#3342);
     + XSS (reflected) in IP calculator (#3351);