diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php
index 6d10a98..7d594d7 100644
--- a/system/helpers/form_helper.php
+++ b/system/helpers/form_helper.php
@@ -335,8 +335,24 @@
{
return '';
}
+
+ $temp = '__TEMP_AMPERSANDS__';
- return str_replace(array("'", '"'), array("'", """), htmlspecialchars($str));
+ // Replace entities to temporary markers so that
+ // htmlspecialchars won't mess them up
+ $str = preg_replace("/&#(\d+);/", "$temp\\1;", $str);
+ $str = preg_replace("/&(\w+);/", "$temp\\1;", $str);
+
+ $str = htmlspecialchars($str);
+
+ // In case htmlspecialchars misses these.
+ $str = str_replace(array("'", '"'), array("'", """), $str);
+
+ // Decode the temp markers back to entities
+ $str = preg_replace("/$temp(\d+);/","&#\\1;",$str);
+ $str = preg_replace("/$temp(\w+);/","&\\1;",$str);
+
+ return $str;
}
// ------------------------------------------------------------------------
diff --git a/system/helpers/xml_helper.php b/system/helpers/xml_helper.php
index 4cc91f4..856722b 100644
--- a/system/helpers/xml_helper.php
+++ b/system/helpers/xml_helper.php
@@ -36,15 +36,18 @@
*/
function xml_convert($str)
{
- $temp = '__TEMP_AMPERSANDS';
-
+ $temp = '__TEMP_AMPERSANDS__';
+
+ // Replace entities to temporary markers so that
+ // ampersands won't get messed up
$str = preg_replace("/&#(\d+);/", "$temp\\1;", $str);
$str = preg_replace("/&(\w+);/", "$temp\\1;", $str);
$str = str_replace(array("&","<",">","\"", "'", "-"),
array("&", "<", ">", """, "'", "-"),
$str);
-
+
+ // Decode the temp markers back to entities
$str = preg_replace("/$temp(\d+);/","&#\\1;",$str);
$str = preg_replace("/$temp(\w+);/","&\\1;", $str);