From 18ce9c55e980843c79e87e65d93f96f8e42d4091 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1t=C3=A9=20Szab=C3=B3?= Date: Tue, 7 May 2024 11:25:12 +0200 Subject: [PATCH] PLATFORM-9297 | Don't double-escape single quotes in Cargo results Cargo has been double-escaping query results since 2e587bab444d82d939cd376b2fb08f0eab95c854. On PHP 8.2, this is causing single quotes in benign outputs such as "Cox's Bazaar" to be double-escaped, as htmlspecialchars() on PHP 8.1 and newer escapes single quotes by default. The double-escaping can and should be investigated and fixed upstream, but to unblock our PHP 8.2 migration, simply switch back the htmlspecialchars() behavior to the original so that the single quotes do not get double-escaped. --- includes/CargoSQLQuery.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/CargoSQLQuery.php b/includes/CargoSQLQuery.php index a9130080..846f1ab0 100644 --- a/includes/CargoSQLQuery.php +++ b/includes/CargoSQLQuery.php @@ -1616,7 +1616,7 @@ public function run() { // It's a string. // Escape any HTML, to avoid JavaScript // injections and the like. - $resultsRow[$alias] = htmlspecialchars( $curValue ); + $resultsRow[$alias] = htmlspecialchars( $curValue, ENT_COMPAT ); } } $resultArray[] = $resultsRow;