5703 removed encode/decode of content when using the content editor

include/lib/mysql_connect.inc.php

@@ -187,7 +187,13 @@ function create_sql($query, $params=array(), $sanitize = true){
     if ($sanitize) {
         foreach($params as $i=>$value) {
          if(defined('MYSQLI_ENABLED')){  
-             $value = htmlspecialchars_decode($value, ENT_QUOTES);  
+            // the following decode is a problem for the content editor
+            // when html is being included as entities to be displayed as text.
+            // So disable it for the content editor
+             //$value = htmlspecialchars_decode($value, ENT_QUOTES);  
+             if(!strstr($_SERVER['PHP_SELF'], "edit_content")){
+                $value = htmlspecialchars_decode($value, ENT_QUOTES);
+            }
              $params[$i] = $addslashes($value);
             }else {
              $params[$i] = $addslashes($value);           

include/lib/vital_funcs.inc.php

@@ -1231,7 +1231,10 @@ function escape_all_supers(){
     }
     $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
 }
-escape_all_supers();
+// hack to prevent content editor from converting entities to tags
+if(!strstr($_SERVER['PHP_SELF'], "edit_content")){
+    escape_all_supers();
+}
 
 /**
     * Functions to clean up the escaped newlines left behind

mods/_core/editor/edit_content.php

@@ -271,7 +271,9 @@ function compare($x, $y) {
             $_POST['head'] = $content_row['head'];
             $_POST['use_customized_head'] = $content_row['use_customized_head'];
             $_POST['title']      = $content_row['title'];
-            $_POST['body_text']  = htmlspecialchars_decode($content_row['text']);
+            // remove decode to allow html entities in content
+           // $_POST['body_text']  = htmlspecialchars_decode($content_row['text']);
+            $_POST['body_text']  = $content_row['text'];
             $_POST['weblink_text'] = $content_row['text'];
             $_POST['keywords']   = $content_row['keywords'];
             $_POST['test_message'] = $content_row['test_message'];

mods/_core/editor/editor_tab_functions.inc.php

@@ -184,7 +184,9 @@ function save_changes($redir, $current_tab) {
 	$_POST['use_customized_head']	= isset($_POST['use_customized_head'])?$_POST['use_customized_head']:0;
 	// $_POST['body_text']	= $stripslashes(trim($_POST['body_text'])); //this line breaks LaTex
 	$_POST['body_text']=preg_replace("/[\n\r]/","",$_POST['body_text']);
-	$_POST['body_text']	= trim(htmlspecialchars_decode($_POST['body_text']));
+	//$_POST['body_text']	= trim(htmlspecialchars_decode($_POST['body_text']));
+	// decode removed so html can be save as entities
+	$_POST['body_text']	= trim($_POST['body_text']);
 	$_POST['weblink_text'] = trim($_POST['weblink_text']);
 	$_POST['formatting'] = intval($_POST['formatting']);
 	$_POST['keywords']	= $stripslashes(trim($_POST['keywords']));

mods/_core/editor/editor_tabs/edit.inc.php

@@ -112,7 +112,7 @@
     <div class="row">
         <span id="textSpan">
             <label for="body_text"><strong><?php echo _AT('body');  ?></strong></label><br />
-            <textarea name="body_text" id="body_text" cols="80" rows="20"><?php echo ContentManager::cleanOutput($_POST['body_text']);?></textarea>
+            <textarea name="body_text" id="body_text" cols="80" rows="20"><?php echo htmlentities($_POST['body_text'], ENT_NOQUOTES);?></textarea>
         </span>
         <span id="weblinkSpan">	
             <label for="weblink_text"><?php echo _AT('weblink');  ?></label>