From the PHP CHANGELOG:
The flag ENT_SUBSTITUTE makes invalid multibyte sequences be replaced by
U+FFFD (UTF-8) or &#FFFD; by htmlspecialchars and htmlentities. It is an
alternative to the default behavior, which just returns an empty string and to
ENT_IGNORE, which is a security risk. The behavior follows the recommendations
of Unicode Technical Report #36.
* 1.2.0
+ * added better support for encoding problems when escaping a string (available as of PHP 5.4)
* added a way to ignore a missing template when using the "include" tag ({% include "foo" ignore missing %})
* added support for an array of templates to the "include" and "extends" tags ({% include ['foo', 'bar'] %})
* added support for bitwise operators in expressions
<?php
+if (!defined('ENT_SUBSTITUTE')) {
+ define('ENT_SUBSTITUTE', 8);
+}
+
/*
* This file is part of Twig.
*
return $string;
case 'html':
- return htmlspecialchars($string, ENT_QUOTES, $charset);
+ return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE, $charset);
default:
throw new Twig_Error_Runtime(sprintf('Invalid escape type "%s".', $type));