From 46cb4e762883213ab5a67a3b7792a83c5816ccf0 Mon Sep 17 00:00:00 2001
From: Tobias Zeising <tobias.zeising@aditu.de>
Date: Sun, 28 Apr 2013 10:23:58 +0200
Subject: [PATCH] Decode HTML entities before passing title or content to
 htmLawed (#293)

---
 helpers/ContentLoader.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/helpers/ContentLoader.php b/helpers/ContentLoader.php
index c9e5cd4fb4..2130436ed2 100644
--- a/helpers/ContentLoader.php
+++ b/helpers/ContentLoader.php
@@ -106,7 +106,7 @@ public function fetch($source) {
             
             // sanitize content html
             $content = htmLawed(
-                $item->getContent(),
+                html_entity_decode($item->getContent(), ENT_COMPAT, 'UTF-8'),
                 array(
                     "safe"           => 1,
                     "deny_attribute" => '* -alt -title -src -href',
@@ -116,7 +116,8 @@ public function fetch($source) {
                     "elements"       => 'div,p,ul,li,a,img,dl,dt,h1,h2,h3,h4,h5,h6,ol,br,table,tr,td,blockquote,pre,ins,del,th,thead,tbody,b,i,strong,em,tt'
                 )
             );
-            $title = htmLawed($item->getTitle(), array("deny_attribute" => "*", "elements" => "-*"));
+            $title = html_entity_decode($item->getTitle(), ENT_COMPAT, 'UTF-8');
+            $title = htmLawed($title, array("deny_attribute" => "*", "elements" => "-*"));
             \F3::get('logger')->log('item content sanitized', \DEBUG);
             
             $icon = $item->getIcon();