Merge pull request #325 from freewil/develop

always use charset config item
diff --git a/application/config/config.php b/application/config/config.php
index 880393c..a6d10d8 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -79,6 +79,8 @@
 | This determines which character set is used by default in various methods
 | that require a character set to be provided.
 |
+| See http://php.net/htmlspecialchars for a list of supported charsets.
+|
 */
 $config['charset'] = 'UTF-8';
 
diff --git a/system/core/Security.php b/system/core/Security.php
index 342455f..e99418b 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -525,9 +525,17 @@
 	 * @param	string
 	 * @return	string
 	 */
-	public function entity_decode($str, $charset='UTF-8')
+	public function entity_decode($str, $charset = NULL)
 	{
-		if (stristr($str, '&') === FALSE) return $str;
+		if (stristr($str, '&') === FALSE)
+		{
+			return $str;
+		}
+		
+		if (empty($charset))
+		{
+			$charset = config_item('charset');
+		}
 
 		// The reason we are not using html_entity_decode() by itself is because
 		// while it is not technically correct to leave out the semicolon
diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php
index d9305c0..130daee 100644
--- a/system/helpers/form_helper.php
+++ b/system/helpers/form_helper.php
@@ -642,11 +642,8 @@
 		{
 			return $str;
 		}
-
-		$str = htmlspecialchars($str);
-
-		// In case htmlspecialchars misses these.
-		$str = str_replace(array("'", '"'), array("'", """), $str);
+		
+		$str = html_escape($str);
 
 		if ($field_name != '')
 		{
diff --git a/system/helpers/typography_helper.php b/system/helpers/typography_helper.php
index 19b4eec..82e686e 100644
--- a/system/helpers/typography_helper.php
+++ b/system/helpers/typography_helper.php
@@ -39,9 +39,7 @@
 	function nl2br_except_pre($str)
 	{
 		$CI =& get_instance();
-
 		$CI->load->library('typography');
-
 		return $CI->typography->nl2br_except_pre($str);
 	}
 }
@@ -82,9 +80,15 @@
  */
 if ( ! function_exists('entity_decode'))
 {
-	function entity_decode($str, $charset='UTF-8')
+	function entity_decode($str, $charset = NULL)
 	{
 		global $SEC;
+		
+		if (empty($charset))
+		{
+			$charset = config_item('charset');
+		}
+		
 		return $SEC->entity_decode($str, $charset);
 	}
 }