title escaping: do not double-encode entities

author Andrew Dolgov <fox@madoka.volgo-balt.ru>

Sat, 23 Mar 2013 05:44:52 +0000 (09:44 +0400)

committer Andrew Dolgov <fox@madoka.volgo-balt.ru>

Sat, 23 Mar 2013 05:44:52 +0000 (09:44 +0400)
author Andrew Dolgov <fox@madoka.volgo-balt.ru>
Sat, 23 Mar 2013 05:44:52 +0000 (09:44 +0400)
committer Andrew Dolgov <fox@madoka.volgo-balt.ru>
Sat, 23 Mar 2013 05:44:52 +0000 (09:44 +0400)
diff --git a/classes/feeds.php b/classes/feeds.php

index 3657a0564caa247cc91e9d0c0fb186c44506b45e..f673211774b25a41e28ae1d0e43383341491fc1f 100644 (file)
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -432,7 +432,8 @@ class Feeds extends Handler_Protected {
                                         $reply['content'] .= "<div onclick='return hlClicked(event, $id)'
                                                 class=\"hlTitle\"><span class='hlContent$hlc_suffix'>";
                                         $reply['content'] .= "<a id=\"RTITLE-$id\"
-                                               href=\"" . htmlspecialchars($line["link"]) . "\"
+                                               href=\"" . htmlspecialchars($line["link"], ENT_COMPAT | ENT_HTML401,
+                                                       'utf-8', false) . "\"
                                                 onclick=\"\">" .
                                                 truncate_string($line["title"], 200);
  
diff --git a/include/functions.php b/include/functions.php

index e57ee6953a2eb85fd3af4e65ddabc41d3ff7ecf3..994b4c1794150797fadc8e694557cb4540c48d87 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -3022,7 +3022,8 @@
  
                         if ($line["link"]) {
                                 $rv['content'] .= "<div class='postTitle'><a target='_blank'
-                                       title=\"".htmlspecialchars($line['title'])."\"
+                                       title=\"".htmlspecialchars($line["link"], ENT_COMPAT | ENT_HTML401,
+               'utf-8', false)."\"
                                         href=\"" .
                                         htmlspecialchars($line["link"]) . "\">" .
                                         $line["title"] . "</a>" .
author	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Sat, 23 Mar 2013 05:44:52 +0000 (09:44 +0400)
committer	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Sat, 23 Mar 2013 05:44:52 +0000 (09:44 +0400)
classes/feeds.php		patch \| blob \| history
include/functions.php		patch \| blob \| history