/** * Converts $text into safe XML text * * @param string $text * @return string */ function safe_xml($text, $to_utf8 = false) { $out = ''; $pos = 0; while (($pos = strpos($text, '&')) !== false) { if (preg_match('/^&([^ <>;&]+);/', substr($text, $pos), $m)) { $out .= htmlspecialchars(substr($text, 0, $pos), ENT_NOQUOTES) . "&{$m[1]};"; $text = substr($text, $pos + 2 + strlen($m[1])); continue; } $out .= htmlspecialchars(substr($text, 0, $pos + 1)); $text = substr($text, $pos + 1); } $out = Ent::replace_html($out . htmlspecialchars($text, ENT_NOQUOTES)); return $to_utf8 ? utf8_encode($out) : $out; }