From 6e213b17e6ac3a3961e1eabcdaba1c892844398a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?=
 <francoisjacquet@users.noreply.github.com>
Date: Wed, 8 Jun 2022 22:08:35 +0200
Subject: [PATCH] Fix stored XSS security issue: decode HTML entities from URL

---
 CHANGES.md                        | 4 ++++
 functions/PreparePHP_SELF.fnc.php | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGES.md b/CHANGES.md
index 9ded02ad9..33f44155e 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,6 +1,10 @@
 # CHANGES
 ## RosarioSIS Student Information System
 
+Changes in 9.0.1
+----------------
+- Fix stored XSS security issue: decode HTML entities from URL in PreparePHP_SELF.fnc.php, thanks to @domiee13
+
 Changes in 9.0
 --------------
 - CSS add length to previous meals select in DailyMenus.php
diff --git a/functions/PreparePHP_SELF.fnc.php b/functions/PreparePHP_SELF.fnc.php
index f7dfe677b..280b6a03c 100644
--- a/functions/PreparePHP_SELF.fnc.php
+++ b/functions/PreparePHP_SELF.fnc.php
@@ -191,7 +191,7 @@ function( $match ) {
 	);
 
 	// Fix stored XSS security issue: decode HTML entities from URL.
-	$string = html_entity_decode( (string) $string );
+	$string = html_entity_decode( (string) $string, ENT_QUOTES | ENT_HTML5 );
 
 	$remove = [
 		// Fix stored XSS security issue: remove inline JS from URL.