diff --git a/htdocs/core/class/translate.class.php b/htdocs/core/class/translate.class.php
index 3c4c3ea5d36..ab7bf604446 100644
--- a/htdocs/core/class/translate.class.php
+++ b/htdocs/core/class/translate.class.php
@@ -589,16 +589,15 @@ class Translate
/**
* Return text translated of text received as parameter (and encode it into HTML)
- * If there is no match for this text, we look in alternative file and if still not found,
- * it is returned as it is
- * The parameters of this method can contain HTML tags
+ * If there is no match for this text, we look in alternative file and if still not found, it is returned as it is.
+ * The parameters of this method should not contain HTML tags. If there is, they will be htmlencoded to have no effect.
*
* @param string $key Key to translate
* @param string $param1 param1 string
* @param string $param2 param2 string
* @param string $param3 param3 string
* @param string $param4 param4 string
- * @param int $maxsize Max length of text
+ * @param int $maxsize Max length of text. Warning: Will not work if paramX has HTML content. deprecated.
* @return string Translated string (encoded into HTML entities and UTF8)
*/
public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 = '', $maxsize = 0)
@@ -621,25 +620,33 @@ class Translate
}
}
+ // We replace some HTML tags by __xx__ to avoid having them encoded by htmlentities because
+ // we want to keep '"' '' '' '' '' '
' '< ' '' that are reliable HTML tags inside translation strings.
+ $str = str_replace(
+ array('"', '', '', '', '', '', '
', '', '< ', '>'), // We accept '< ' but not '<'. We can accept however '>'
+ array('__quot__', '__tagbold__', '__tagboldend__', '__tagbold__', '__tagboldend__', '__taga__', '__tagaend__', '__tagbr__', '__tagspan__', '__tagspanend__', '__lt__', '__gt__'),
+ $str
+ );
+
if (strpos($key, 'Format') !== 0)
{
$str = sprintf($str, $param1, $param2, $param3, $param4); // Replace %s and %d except for FormatXXX strings.
}
+ // Crypt string into HTML
+ $str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are embraced by "). Use dol_escape_htmltag around text in HTML content
+
+ // Restore reliable HTML tags into original translation string
+ $str = str_replace(
+ array('__quot__', '__tagbold__', '__tagboldend__', '__taga__', '__tagaend__', '__tagbr__', '__tagspan__', '__tagspanend__', '__lt__', '__gt__'),
+ array('"', '', '', '', '
', '', '< ', '> '),
+ $str
+ );
+
if ($maxsize) $str = dol_trunc($str, $maxsize);
- // We replace some HTML tags by __xx__ to avoid having them encoded by htmlentities
- $str = str_replace(array('<', '>', '"',), array('__lt__', '__gt__', '__quot__'), $str);
-
- // Crypt string into HTML
- $str = htmlentities($str, ENT_COMPAT, $this->charset_output); // Do not convert simple quotes in translation (strings in html are enmbraced by "). Use dol_escape_htmltag around text in HTML content
-
- // Restore HTML tags
- $str = str_replace(array('__lt__', '__gt__', '__quot__'), array('<', '>', '"',), $str);
-
return $str;
- } else // Translation is not available
- {
+ } else { // Translation is not available
//if ($key[0] == '$') { return dol_eval($key,1); }
return $this->getTradFromKey($key);
}
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index f0d6ff9a53c..3eb40f96478 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -1060,7 +1060,7 @@ function dol_escape_json($stringtoescape)
* Returns text escaped for inclusion in HTML alt or title tags, or into values of HTML input fields.
*
* @param string $stringtoescape String to escape
- * @param int $keepb 1=Preserve b tags (otherwise, remove them)
+ * @param int $keepb 1=Keep b tags and escape them, 0=remove them
* @param int $keepn 1=Preserve \r\n strings (otherwise, replace them with escaped value). Set to 1 when escaping for a