html entities in href are decoded and cut

[edwinveldhuizen]

Version 2.2.2

Thanks for the previous fix, it works like a charm.
We found another issue, because it seems that when a <a> href contains a html entity like &amp, the href is being wrongfully decoded and replaced

Without htmlentity in href
Before:

<a href="https://mbd.baidu.com/newspage/data/landingsuper?context=%7B%22nid%22%3A%22news_15446515888862039806%22%7D&n_type=0&p_from=1" target="_blank">Valid Link</a>

after:

<a href="https://mbd.baidu.com/newspage/data/landingsuper?context=%7B%22nid%22%3A%22news_15446515888862039806%22%7D&n_type=0&p_from=1" target="_blank">Valid Link</a>

With htmlentity in href
Before:

<a href="https://mbd.baidu.com/newspage/data/landingsuper?context=%7B%22nid%22%3A%22news_15446515888862039806%22%7D&amp;n_type=0&amp;p_from=1" target="_blank">Valid Link</a>

after:

<a href="https://mbd.baidu.com/newspage/data/landingsuper?context={" target="_blank">Valid Link</a>

[edwinveldhuizen]

Actually it seems to go deeper than that, it also decodes other entities that might need to stay encoded:

Before

<p>&lt;h1&gt;<a href="https://mbd.baidu.com/newspage/data/landingsuper?context=%7B%22nid%22%3A%22news_15446515888862039806%22%7D&amp;n_type=0&amp;p_from=1" target="_blank">Special url</a>&lt;/h1&gt; User content %7B%7B Test 123</p>

After

<p><h1><a href="https://mbd.baidu.com/newspage/data/landingsuper?context={" target="_blank">Special url</a></h1> User content {{ Test 123</p>

[voku]

Thanks for the report. Fixed in v2.3 (< php7) and in v4.1 (> php7) ...

... we will keep the input value (+encoding) if no xss was found. I added your examples in the tests, so it will not break again. 😄