diff --git a/core/includes/bootstrap.inc b/core/includes/bootstrap.inc index e1c15fea0e7bdf9942e8fcb0d4587daa87496869..effc5838746dea6071ca6746eb06cfcb9d3d772a 100644 --- a/core/includes/bootstrap.inc +++ b/core/includes/bootstrap.inc @@ -1622,7 +1622,7 @@ function format_string($string, array $args = array()) { * @ingroup sanitization */ function check_plain($text) { - return htmlspecialchars($text, ENT_QUOTES, 'UTF-8'); + return htmlspecialchars($text, ENT_QUOTES, 'UTF-8', FALSE); } /** diff --git a/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php b/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php index dff85bd957fea677c4217eb42ae71ffb0bdd0697..1643641f65ca63260050c5e2812d4881427ddf7e 100644 --- a/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php +++ b/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php @@ -60,6 +60,9 @@ function testEscaping() { $this->assertEqual($text, '<script>', 'check_plain() escapes <script>'); $text = check_plain('<>&"\''); $this->assertEqual($text, '<>&"'', 'check_plain() escapes reserved HTML characters.'); + // Test that check_plain() is not double-escaping entities in strings. + $text = check_plain('<