diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index f430a5767a..ba573908ef 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -751,13 +751,24 @@ function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = fals $quote_style = ENT_NOQUOTES; } - if ( ! $double_encode ) { - // Guarantee every &entity; is valid, convert &garbage; into &garbage; - // This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable. - $string = wp_kses_normalize_entities( $string ); - } + // Handle double encoding ourselves + if ( $double_encode ) { + $string = @htmlspecialchars( $string, $quote_style, $charset ); + } else { + // Decode & into & + $string = wp_specialchars_decode( $string, $_quote_style ); - $string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode ); + // Guarantee every &entity; is valid or re-encode the & + $string = wp_kses_normalize_entities( $string ); + + // Now re-encode everything except &entity; + $string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE ); + + for ( $i = 0, $c = count( $string ); $i < $c; $i += 2 ) { + $string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset ); + } + $string = implode( '', $string ); + } // Backwards compatibility if ( 'single' === $_quote_style ) diff --git a/wp-includes/version.php b/wp-includes/version.php index b0754359d8..7119391adc 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.3-beta2-33147'; +$wp_version = '4.3-beta2-33148'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.