From 670bf5c58d3879b0e8c7a50ded1e39efe97be0df Mon Sep 17 00:00:00 2001 From: Peter Rotich <peter@osticket.com> Date: Sun, 28 Dec 2014 19:34:49 +0000 Subject: [PATCH] html: Replace htmlentities with htmlspecialchars --- include/class.format.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/include/class.format.php b/include/class.format.php index 2357e45e5..80ca64a3b 100644 --- a/include/class.format.php +++ b/include/class.format.php @@ -275,7 +275,12 @@ class Format { return $striptags?Format::striptags($text, false):$text; } - function htmlchars($var) { + function htmlchars($var, $sanitize = false) { + //XXX: should we decode first? + $var = Format::htmldecode($var); + if ($sanitize) + $var = Format::sanitize($var); + return Format::htmlencode($var); } @@ -293,7 +298,7 @@ class Format { $flags |= ENT_HTML401; try { - return htmlentities( (string) $var, $flags, 'UTF-8', false); + return htmlspecialchars( (string) $var, $flags, 'UTF-8', false); } catch(Exception $e) { return $var; } @@ -308,7 +313,7 @@ class Format { if (phpversion() >= '5.4.0') $flags |= ENT_HTML401; - return html_entity_decode($var, $flags, 'UTF-8'); + return htmlspecialchars_decode($var, $flags); } function input($var) { -- GitLab