Index: src/wp-includes/formatting.php =================================================================== --- src/wp-includes/formatting.php (revision 32517) +++ src/wp-includes/formatting.php (working copy) @@ -665,25 +665,8 @@ $quote_style = ENT_NOQUOTES; } - // Handle double encoding ourselves - if ( $double_encode ) { - $string = @htmlspecialchars( $string, $quote_style, $charset ); - } else { - // Decode & into & - $string = wp_specialchars_decode( $string, $_quote_style ); + $string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode ); - // Guarantee every &entity; is valid or re-encode the & - $string = wp_kses_normalize_entities( $string ); - - // Now re-encode everything except &entity; - $string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE ); - - for ( $i = 0, $c = count( $string ); $i < $c; $i += 2 ) { - $string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset ); - } - $string = implode( '', $string ); - } - // Backwards compatibility if ( 'single' === $_quote_style ) $string = str_replace( "'", ''', $string ); Index: tests/phpunit/tests/formatting/WPSpecialchars.php =================================================================== --- tests/phpunit/tests/formatting/WPSpecialchars.php (revision 32517) +++ tests/phpunit/tests/formatting/WPSpecialchars.php (working copy) @@ -39,4 +39,58 @@ $this->assertEquals( '"'hello!'"', _wp_specialchars($source, true) ); $this->assertEquals( $source, _wp_specialchars($source) ); } + + /** + * Check some of the double-encoding features for entity references. + * + * @ticket 17780 + * @dataProvider data_double_encoding + */ + function test_double_encoding( $input, $output ) { + return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, true ) ); + } + + function data_double_encoding() { + return array( + array( + 'This & that, this & that, — " " Ú   " " " " " $ ×', + 'This & that, this &amp; that, &#8212; &quot; &QUOT; &Uacute; &nbsp; &#34; &#034; &#0034; &#x00022; &#x22; &dollar; &times;', + ), + array( + '&& && && &;', + '&& &&amp; &amp;&amp; &amp;;', + ), + array( + '&garbage; &***; &aaaa; &0000; &####; &;;', + '&garbage; &***; &aaaa; &0000; &####; &;;', + ), + ); + } + + /** + * Check some of the double-encoding features for entity references. + * + * @ticket 17780 + * @dataProvider data_no_double_encoding + */ + function test_no_double_encoding( $input, $output ) { + return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, false ) ); + } + + function data_no_double_encoding() { + return array( + array( + 'This & that, this & that, — " " Ú   " " " " " $ ×', + 'This & that, this & that, — " &QUOT; Ú   " " " " " &dollar; ×', + ), + array( + '&& && && &;', + '&& && && &;', + ), + array( + '&garbage; &***; &aaaa; &0000; &####; &;;', + '&garbage; &***; &aaaa; &0000; &####; &;;', + ), + ); + } }