From 4f45858c0ab3165c59bad9dbae6b8fb43a18d56e Mon Sep 17 00:00:00 2001 From: Ivan Tcholakov Date: Mon, 25 Aug 2014 11:20:22 +0300 Subject: Upgrading the function html_escape(), escaping twice can be prevented by setting the second argument to FALSE. --- system/core/Common.php | 12 ++++++++---- user_guide_src/source/changelog.rst | 1 + 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/system/core/Common.php b/system/core/Common.php index 752a2e7f1..fd248e9b9 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -690,16 +690,20 @@ if ( ! function_exists('remove_invisible_characters')) if ( ! function_exists('html_escape')) { /** - * Returns HTML escaped variable + * Returns HTML escaped variable. + * $double_encode set to FALSE prevents escaping twice. * * @param mixed + * @param bool * @return mixed */ - function html_escape($var) + function html_escape($var, $double_encode = TRUE) { + $double_encode = (bool) $double_encode; + return is_array($var) - ? array_map('html_escape', $var) - : htmlspecialchars($var, ENT_QUOTES, config_item('charset')); + ? ($double_encode === FALSE ? array_map('html_escape', $var, array_fill(0, count($var), FALSE)) : array_map('html_escape', $var)) + : htmlspecialchars($var, ENT_QUOTES, config_item('charset'), $double_encode); } } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 6619ae971..4ff71a525 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -489,6 +489,7 @@ Release Date: Not Released - Removed the third (`$php_error`) argument from function :func:`log_message()`. - Changed internal function ``load_class()`` to accept a constructor parameter instead of (previously unused) class name prefix. - Removed default parameter value of :func:`is_php()`. + - Added a second optional argument ``$double_encode`` to :func:`html_escape()`. When ``$double_encode`` is set to FALSE, escaping twice is prevented. - :doc:`Output Library ` changes include: -- cgit v1.2.3-24-g4f1b