Index: src/wp-includes/formatting.php =================================================================== --- src/wp-includes/formatting.php (revision 32850) +++ src/wp-includes/formatting.php (working copy) @@ -688,6 +688,12 @@ $quote_style = ENT_NOQUOTES; } + if ( ! $double_encode ) { + // Guarantee every &entity; is valid, convert &garbage; into &garbage; + // This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable. + $string = wp_kses_normalize_entities( $string ); + } + $string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode ); // Backwards compatibility Index: tests/phpunit/tests/formatting/EscHtml.php =================================================================== --- tests/phpunit/tests/formatting/EscHtml.php (revision 32850) +++ tests/phpunit/tests/formatting/EscHtml.php (working copy) @@ -34,7 +34,7 @@ function test_ignores_existing_entities() { $source = '& £ " &'; - $res = '& £ " &'; + $res = '& £ " &'; $this->assertEquals( $res, esc_html($source) ); } } Index: tests/phpunit/tests/formatting/WPSpecialchars.php =================================================================== --- tests/phpunit/tests/formatting/WPSpecialchars.php (revision 32850) +++ tests/phpunit/tests/formatting/WPSpecialchars.php (working copy) @@ -85,7 +85,7 @@ return array( array( 'This & that, this & that, — " " Ú   " " " " " $ ×', - 'This & that, this & that, — " &QUOT; Ú   " " " " " &dollar; ×', + 'This & that, this & that, — " &QUOT; Ú   " " " " " &dollar; ×', ), array( '&& && && &;',