Update `htmlspecialchars` flags for PHP 8.1 default

This change:

- Encodes `'` as `'`, whereas it previously was not touched.
- Inserts the Unicode replacement character instead of returning an empty
  string when an invalid UTF-8 sequence is passed.

The first change might slightly improve security, whereas the second change
might improve debugging.

see also: https://php.watch/versions/8.1/html-entity-default-value-changes

diff --git a/wcfsetup/install/files/lib/util/StringUtil.class.php b/wcfsetup/install/files/lib/util/StringUtil.class.php
index 46206d87367fb71a93a70af0475997dbe499a310..918c560e863672bb645d22a62cabd9fe6f72ce14 100644 (file)
--- a/wcfsetup/install/files/lib/util/StringUtil.class.php
+++ b/wcfsetup/install/files/lib/util/StringUtil.class.php
@@ -119,7 +119,11 @@ final class StringUtil
      */
     public static function encodeHTML($string)
     {
-        return @\htmlspecialchars((string)$string, \ENT_COMPAT, 'UTF-8');
+        return @\htmlspecialchars(
+            (string)$string,
+            \ENT_QUOTES | \ENT_SUBSTITUTE | \ENT_HTML401,
+            'UTF-8'
+        );
     }
 
     /**