diff options
| -rw-r--r-- | html.class | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -248,13 +248,13 @@ function sanitize($html) { # Link tags, keeps only href attribute list($head, $href, $content, $tail) = $tag; - $result .= it_html::sanitize($head) . "<a href=\"$href\">" . it_html::sanitize($content) . "</a>" . it_html::sanitize($tail); + $result .= it_html::sanitize($head) . '<a href="' . it_html::Q(html_entity_decode($href)) . '">' . it_html::sanitize($content) . "</a>" . it_html::sanitize($tail); } else if ($tag = it::match('(.*)<img[^>]+?src="(' . $urlpattern . ')"[^>]*?>(.*)', $html)) { # Image tags, keeps only src attribute list($head, $src, $tail) = $tag; - $result .= it_html::sanitize($head) . "<img src=\"$src\" alt=\"\" />" . it_html::sanitize($tail); + $result .= it_html::sanitize($head) . '<img src="' . it_html::Q(html_entity_decode($src)) . '" alt="" />' . it_html::sanitize($tail); } else if ($tag = it::match("(.*)<(br)[^>]*>(.*)", $html)) { |