(In [4080]) fixes #2185

the sanitizeInputValue is called for all input values, generally very often, I think charset detection is pretty slow...

is the piwik.js fix not enough to get the page titles right?

I'll rework it.

(In [4087]) refs #2185 - revert r4080

• for performance, move html_entity_decode out of sanitizeInputValue() since it's only used when we getRequestVar('action_name')
• add unit tests

(In [4092]) refs #2185 - sanitizeInputValue() returned '' if input wasn't valid UTF-8

Re-think:

• re r4087, moved html_entity_decode out of sanitizeInputValue(). Matt wonders if we should also use html_entity_decode for custom variables and referer.
• re forum post, passing an already encoded URL results in double encoding.

Attachment:
2185.patch

The attached patch moves html_entity_code() back to sanitizeInputValue(), and tries to detect/fix double encoding.

I'll come back to this problem after I've thought more about the implications are.

do we need to handle this use case though? It has never been a problem so far, and I really don't want to complicate the sanitize function because it is heavily used, and security related. It must stay simple and fast. So I vote for updating the doc and clarify that we don't accept encoded values, and leave the sanitize as is on trunk (with your new test in the function)

(In [4096]) fixes #2185