From c02f6fb3feb77ca868dab2ba47702f145a7f030d Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 7 Jun 2025 14:28:44 +0200
Subject: [PATCH] Output blocks of safe chars in php_filter_encode_html()

Fixes a long-standing TODO, and is faster.
---
 ext/filter/sanitizing_filters.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c
index d619bb0fc13..ebc20e47711 100644
--- a/ext/filter/sanitizing_filters.c
+++ b/ext/filter/sanitizing_filters.c
@@ -31,6 +31,7 @@ static void php_filter_encode_html(zval *value, const unsigned char *chars)
 	size_t len = Z_STRLEN_P(value);
 	unsigned char *s = (unsigned char *)Z_STRVAL_P(value);
 	unsigned char *e = s + len;
+	unsigned char *last_output = s;
 
 	if (Z_STRLEN_P(value) == 0) {
 		return;
@@ -38,16 +39,17 @@ static void php_filter_encode_html(zval *value, const unsigned char *chars)
 
 	while (s < e) {
 		if (chars[*s]) {
+			smart_str_appendl(&str, (const char *) last_output, s - last_output);
 			smart_str_appendl(&str, "&#", 2);
 			smart_str_append_unsigned(&str, (zend_ulong)*s);
 			smart_str_appendc(&str, ';');
-		} else {
-			/* XXX: this needs to be optimized to work with blocks of 'safe' chars */
-			smart_str_appendc(&str, *s);
+			last_output = s + 1;
 		}
 		s++;
 	}
 
+	smart_str_appendl(&str, (const char *) last_output, s - last_output);
+
 	zval_ptr_dtor(value);
 	ZVAL_NEW_STR(value, smart_str_extract(&str));
 }