From c90e16721a0660dc2dedbd31a9df428e03b7ff13 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Fri, 3 Jul 2009 18:26:35 +0000
Subject: - Patch #359276 by Freso, Heine, lyricnz: avoid double
 encoding/decoding of HTML entities.

---
 includes/common.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'includes')

diff --git a/includes/common.inc b/includes/common.inc
index fb4aff11d..0d95442a8 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -1359,12 +1359,12 @@ function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite',
   // Defuse all HTML entities
   $string = str_replace('&', '&amp;', $string);
   // Change back only well-formed entities in our whitelist
-  // Named entities
-  $string = preg_replace('/&amp;([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
   // Decimal numeric entities
   $string = preg_replace('/&amp;#([0-9]+;)/', '&#\1', $string);
   // Hexadecimal numeric entities
   $string = preg_replace('/&amp;#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);
+  // Named entities
+  $string = preg_replace('/&amp;([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
 
   return preg_replace_callback('%
     (
-- 
cgit v1.2.3