Make escaping html entities the default for geturl
Make escaping html entities the default for geturl

--- a/include/smartyplugins/function.geturl.php
+++ b/include/smartyplugins/function.geturl.php
@@ -19,9 +19,9 @@
 	}
 	unset($params['fullurl']);
 
-	$escape = false;
-	if (!empty($params['escape']) && ($params['escape'] == true))
-		$escape = true;
+	$escape = true;
+	if (isset($params['escape']) && ($params['escape'] == false))
+		$escape = false;
 	unset($params['escape']);
 
 	$router = $template->getTemplateVars('router');
@@ -31,7 +31,7 @@
 	}
 	$finalurl = $router->GetUrl($params, $full);
 	if ($escape)
-		$finalurl = htmlspecialchars($finalurl);
+		$finalurl = htmlspecialchars($finalurl, ENT_COMPAT, 'UTF-8', false);
 
 	return $finalurl;
 }

comments