- Patch #359276 by Freso, Heine, lyricnz: avoid double encoding/decoding of HTML entities.

includes/common.inc

@@ -1359,12 +1359,12 @@ function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite',
   // Defuse all HTML entities
   $string = str_replace('&', '&', $string);
   // Change back only well-formed entities in our whitelist
-  // Named entities
-  $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
   // Decimal numeric entities
   $string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
   // Hexadecimal numeric entities
   $string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);
+  // Named entities
+  $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
 
   return preg_replace_callback('%
     (

modules/filter/filter.test

@@ -399,6 +399,15 @@ class FilterTestCase extends DrupalWebTestCase {
 
     $f = filter_xss("\xc0aaa");
     $this->assertEqual($f, '', t('HTML filter -- overlong UTF-8 sequences.'));
+
+    $f = filter_xss("Who's Online");
+    $this->assertNormalized($f, "who's online", t('HTML filter -- html entity number'));
+
+    $f = filter_xss("Who's Online");
+    $this->assertNormalized($f, "who's online", t('HTML filter -- encoded html entity number'));
+
+    $f = filter_xss("Who' Online");
+    $this->assertNormalized($f, "who' online", t('HTML filter -- double encoded html entity number'));
   }
 
   /**