A Trap with get_html_translation_table()
You may know unhtmlspecialchars() has implemented into PHP.
With former versions of PHP, we had made such a custom function using get_html_translation_table() like this:
function my_unhtmlspecialchars( $text , $quotes = ENT_QUOTES )
{
return strtr( $text , array_flip( get_html_translation_table( HTML_SPECIALCHARS , $quotes ) ) ) ;
}
<?php
var_dump( htmlspecialchars( '"\'<>&' , ENT_QUOTES ) ) ;
var_dump( get_html_translation_table( HTML_SPECIALCHARS , ENT_QUOTES ) ) ;
?>
string(25) "& quot;& #039;& lt;& gt;& amp;"
array(5) {
["""]=>
string(6) "& quot;"
["'"]=>
string(5) "& #39;"
["<"]=>
string(4) "& lt;"
[">"]=>
string(4) "& gt;"
["& "]=>
string(5) "& amp;"
}
we had trouble with some russian languages using utf-8 with the textsanitizer. and we had to add the charset to the end of function htmlSpecialChars() in order to solve it. this could have been caused through various server configs though, because some of us couldn't replicate the issue ourselves.
on a sidenote: we also discovered when using UTF-8 charsets fully, we ran into a few small issues with icms, which will affect xoops aswell.
in certain conditions, it is not enough to just use htmlspecialchars. but you also need to set which characterset you are using aswell.