From c2994e27002f24848f6e8060110091186c19c1ba Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Sun, 8 Apr 2018 19:20:39 +0200
Subject: [PATCH] Avoid implicit type conversions

---
 .../system/html/input/HtmlInputProcessor.class.php    | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php b/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
index 4cfdc2a676..73f5f82394 100644
--- a/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
+++ b/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
@@ -99,7 +99,16 @@ class HtmlInputProcessor extends AbstractHtmlProcessor {
 			$bbcodeAttributes = '';
 			foreach ($attributes as $attribute) {
 				if (!empty($bbcodeAttributes)) $bbcodeAttributes .= ',';
-				$bbcodeAttributes .= "'" . addcslashes($attribute, "'") . "'";
+				
+				if ($attribute === true) $bbcodeAttributes .= 'true';
+				else if ($attribute === false) $bbcodeAttributes .= 'false';
+				else if (is_string($attribute) || is_numeric($attribute)) {
+					$bbcodeAttributes .= "'" . addcslashes($attribute, "'") . "'";
+				}
+				else {
+					// discard anything that is not string-like
+					$bbcodeAttributes .= "''";
+				}
 			}
 			
 			$text = $metacode->ownerDocument->createTextNode('[' . $name . (!empty($bbcodeAttributes) ? '=' . $bbcodeAttributes : '') . ']');
-- 
2.20.1