It's not exactly the same discussion. The other thread was about entering html entities inside message bodies when posting. For the language file, it's possible to use html entities and we normally do not run htmlspecialchars() on it to make it XSS safe. For the posting button, I added a fix to the code. This fix will be in the next version of Phorum.
Edit posting.php. Find the line that says:
Below this line, add this line:
That will fix the post button.
I don't know what to do about the title. I guess we run htmlspecialchars() on it for a reason, but currently I don't have the time to follow the full path for setting the title to see if it is really needed. If you want to experiment with it, then find this code in common.php (line breaks added for readability):
After this line, add the following code, for restoring html entities:
Edit posting.php. Find the line that says:
if ($var == "meta") continue;
Below this line, add this line:
if ($var == "submitbutton_text") continue;
That will fix the post button.
I don't know what to do about the title. I guess we run htmlspecialchars() on it for a reason, but currently I don't have the time to follow the full path for setting the title to see if it is really needed. If you want to experiment with it, then find this code in common.php (line breaks added for readability):
// HTML titles can't contain HTML code, so we strip HTML tags // and HTML escape the title. $PHORUM["DATA"]["HTML_TITLE"] = htmlspecialchars( strip_tags($PHORUM["DATA"]["HTML_TITLE"]), ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]);
After this line, add the following code, for restoring html entities:
$PHORUM["DATA"]["HTML_TITLE"] =
preg_replace('/&#(\w+);/', '&#$1;', $PHORUM["DATA"]["HTML_TITLE"]);
