From d6ce708930cb838af3ed1cf585d3ca62b7036d9b Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Sat, 23 Mar 2013 09:44:52 +0400
Subject: title escaping: do not double-encode entities

---
 classes/feeds.php     | 3 ++-
 include/functions.php | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/classes/feeds.php b/classes/feeds.php
index 3657a0564..f67321177 100644
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -432,7 +432,8 @@ class Feeds extends Handler_Protected {
 					$reply['content'] .= "<div onclick='return hlClicked(event, $id)'
 						class=\"hlTitle\"><span class='hlContent$hlc_suffix'>";
 					$reply['content'] .= "<a id=\"RTITLE-$id\"
-						href=\"" . htmlspecialchars($line["link"]) . "\"
+						href=\"" . htmlspecialchars($line["link"], ENT_COMPAT | ENT_HTML401,
+							'utf-8', false) . "\"
 						onclick=\"\">" .
 						truncate_string($line["title"], 200);
 
diff --git a/include/functions.php b/include/functions.php
index e57ee6953..994b4c179 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -3022,7 +3022,8 @@
 
 			if ($line["link"]) {
 				$rv['content'] .= "<div class='postTitle'><a target='_blank'
-					title=\"".htmlspecialchars($line['title'])."\"
+					title=\"".htmlspecialchars($line["link"], ENT_COMPAT | ENT_HTML401,
+               'utf-8', false)."\"
 					href=\"" .
 					htmlspecialchars($line["link"]) . "\">" .
 					$line["title"] . "</a>" .
-- 
cgit v1.2.3