title escaping: do not double-encode entities

2013-03-23 09:44:52 +04:00 · 2013-03-23 09:44:52 +04:00 · d6ce708930
commit d6ce708930
parent 01dffac771
2 changed files with 4 additions and 2 deletions
--- a/classes/feeds.php
+++ b/classes/feeds.php
@ -432,7 +432,8 @@ class Feeds extends Handler_Protected {
 					$reply['content'] .= "<div onclick='return hlClicked(event, $id)'
 						class=\"hlTitle\"><span class='hlContent$hlc_suffix'>";
 					$reply['content'] .= "<a id=\"RTITLE-$id\"
-						href=\"" . htmlspecialchars($line["link"]) . "\"
+						href=\"" . htmlspecialchars($line["link"], ENT_COMPAT | ENT_HTML401,
+							'utf-8', false) . "\"
 						onclick=\"\">" .
 						truncate_string($line["title"], 200);

--- a/include/functions.php
+++ b/include/functions.php
@ -3022,7 +3022,8 @@

 			if ($line["link"]) {
 				$rv['content'] .= "<div class='postTitle'><a target='_blank'
-					title=\"".htmlspecialchars($line['title'])."\"
+					title=\"".htmlspecialchars($line["link"], ENT_COMPAT | ENT_HTML401,
+               'utf-8', false)."\"
 					href=\"" .
 					htmlspecialchars($line["link"]) . "\">" .
 					$line["title"] . "</a>" .