From 50eca61f68815005f3b0f808578cc1ce3b4297f0 Mon Sep 17 00:00:00 2001
From: Craig Francis <craig@craigfrancis.co.uk>
Date: Wed, 6 Jan 2021 17:44:11 +0000
Subject: Use ENT_QUOTES|ENT_SUBSTITUTE default for HTML encoding and decoding
 functions

htmlspecialchars() etc now use ENT_QUOTES | ENT_SUBSTITUTE rather
than ENT_COMPAT by default.

Closes GH-6583.
---
 UPGRADING | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'UPGRADING')

diff --git a/UPGRADING b/UPGRADING
index 1b2fafcbc7..3c0939796e 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -69,6 +69,12 @@ PHP 8.1 UPGRADE NOTES
 
 - Standard:
   . version_compare() no longer accepts undocumented operator abbreviations.
+  . htmlspecialchars(), htmlentities(), htmlspecialchars_decode(),
+    html_entitity_decode() and get_html_translation_table() now use
+    ENT_QUOTES | ENT_SUBSTITUTE rather than ENT_COMPAT by default. This means
+    that ' is escaped to &#039; while previously it was left alone.
+    Additionally, malformed UTF-8 will be replaced by a Unicode substitution
+    character, instead of resulting in an empty string.
 
 ========================================
 2. New Features
-- 
cgit v1.2.1