Merge pull request #3204 from ivantcholakov/feature/html-escape-upgrade

Upgrading the function html_escape()

2 files changed, 12 insertions, 7 deletions

diff --git a/system/core/Common.php b/system/core/Common.php
index 752a2e7f1..b5a696c68 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -690,16 +690,20 @@ if ( ! function_exists('remove_invisible_characters'))
 if ( ! function_exists('html_escape'))
 {
 	/**
-	 * Returns HTML escaped variable
+	 * Returns HTML escaped variable.
 	 *
-	 * @param	mixed
-	 * @return	mixed
+	 * @param	mixed	$var		The input string or array of strings to be escaped.
+	 * @param	bool	$double_encode	$double_encode set to FALSE prevents escaping twice.
+	 * @return	mixed			The escaped string or array of strings as a result.
 	 */
-	function html_escape($var)
+	function html_escape($var, $double_encode = TRUE)
 	{
-		return is_array($var)
-			? array_map('html_escape', $var)
-			: htmlspecialchars($var, ENT_QUOTES, config_item('charset'));
+		if (is_array($var))
+		{
+			return array_map('html_escape', $var, array_fill(0, count($var), $double_encode));
+		}
+
+		return htmlspecialchars($var, ENT_QUOTES, config_item('charset'), $double_encode);
 	}
 }
 
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 6619ae971..165ef424f 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -489,6 +489,7 @@ Release Date: Not Released
       -  Removed the third (`$php_error`) argument from function :func:`log_message()`.
       -  Changed internal function ``load_class()`` to accept a constructor parameter instead of (previously unused) class name prefix.
       -  Removed default parameter value of :func:`is_php()`.
+      -  Added a second argument ``$double_encode`` to :func:`html_escape()`.
 
    -  :doc:`Output Library <libraries/output>` changes include: