This change:
- Encodes `'` as `'`, whereas it previously was not touched.
- Inserts the Unicode replacement character instead of returning an empty
string when an invalid UTF-8 sequence is passed.
The first change might slightly improve security, whereas the second change
might improve debugging.
see also: https://php.watch/versions/8.1/html-entity-default-value-changes
*/
public static function encodeHTML($string)
{
- return @\htmlspecialchars((string)$string, \ENT_COMPAT, 'UTF-8');
+ return @\htmlspecialchars(
+ (string)$string,
+ \ENT_QUOTES | \ENT_SUBSTITUTE | \ENT_HTML401,
+ 'UTF-8'
+ );
}
/**