From 68285ea31de595c67d5f60720fb76d49c6347f3a Mon Sep 17 00:00:00 2001
From: Greg Gay <gregrgay@gmail.com>
Date: Mon, 18 Jan 2016 19:30:31 -0500
Subject: [PATCH] 5601 added addslashes() in addition to ENT_QUOTES for
 htmlspecialchars()

---
 mods/_standard/forums/forum/new_thread.php    | 6 +++---
 mods/_standard/forums/html/new_thread.inc.php | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/mods/_standard/forums/forum/new_thread.php b/mods/_standard/forums/forum/new_thread.php
index 43f7ece5c..037ace16e 100644
--- a/mods/_standard/forums/forum/new_thread.php
+++ b/mods/_standard/forums/forum/new_thread.php
@@ -41,9 +41,9 @@
 	exit;
 } else if (isset($_POST['submit'])) {
 	$missing_fields = array();
-    $_POST['subject'] = htmlspecialchars(strip_tags($_POST['subject']));
-    $_POST['body'] = htmlspecialchars(strip_tags($_POST['body'])); 
-    $_POST['replytext'] = htmlspecialchars(strip_tags($_POST['replytext'])); 
+    $_POST['subject'] = htmlentities(addslashes($_POST['subject']), ENT_QUOTES, 'UTF-8');
+    $_POST['body'] = htmlspecialchars(strip_tags($_POST['body']), ENT_QUOTES, 'UTF-8'); 
+    $_POST['replytext'] = htmlspecialchars(strip_tags($_POST['replytext']), ENT_QUOTES, 'UTF-8'); 
 
 	if ($_POST['subject'] == '')  {
 		$missing_fields[] = _AT('subject');
diff --git a/mods/_standard/forums/html/new_thread.inc.php b/mods/_standard/forums/html/new_thread.inc.php
index f3d606cde..b98c542ea 100644
--- a/mods/_standard/forums/html/new_thread.inc.php
+++ b/mods/_standard/forums/html/new_thread.inc.php
@@ -23,10 +23,10 @@
 
 if (isset($_POST['submit'])) {
 $parent_id	= intval($_POST['parent_id']);
-$parent_name	= htmlspecialchars($_POST['parent_name']);
-$subject =  htmlspecialchars($_POST['subject']);
-$body = htmlspecialchars($_POST['body']);
-$_POST['replytext'] =  htmlspecialchars($_POST['replytext']);
+$parent_name	= htmlspecialchars($_POST['parent_name'], ENT_QUOTES, 'UTF-8');
+$subject =  htmlspecialchars(addslashes($_POST['subject']), ENT_QUOTES, 'UTF-8');
+$body = htmlspecialchars($_POST['body'], ENT_QUOTES, 'UTF-8');
+$_POST['replytext'] =  htmlspecialchars($_POST['replytext'], ENT_QUOTES, 'UTF-8');
 
     //post reply is set when there is an error occuring.
     if ($_POST['reply']!=''){