Merge branch 'pr-420' into 1.8

diff --cc engine/lib/output.php
index 352de863bfc7139d3e399b5429218bc2c5c7a8d5,d50576b44e869df5d84bcc65bad26ae3e128d943..cce1c7cbab434a86822c794f81da893765c88554
--- 1/engine/lib/output.php
--- 2/engine/lib/output.php
+++ b/engine/lib/output.php
@@@ -399,44 -373,31 +373,73 @@@ function elgg_strip_tags($string) 
        return $string;
  }
  
 -/**\r
 - * Unit tests for Output\r
 - *\r
 - * @param sting  $hook   unit_test\r
 - * @param string $type   system\r
 - * @param mixed  $value  Array of tests\r
 - * @param mixed  $params Params\r
 - *\r
 - * @return array\r
 - * @access private\r
 - */\r
 -function output_unit_test($hook, $type, $value, $params) {\r
 -      global $CONFIG;\r
 -      $value[] = $CONFIG->path . 'engine/tests/api/output.php';\r
 -      return $value;\r
 +/**
 + * Apply html_entity_decode() to a string while re-entitising HTML
 + * special char entities to prevent them from being decoded back to their
 + * unsafe original forms.
 + *
 + * This relies on html_entity_decode() not translating entities when
 + * doing so leaves behind another entity, e.g. > if decoded would
 + * create > which is another entity itself. This seems to escape the
 + * usual behaviour where any two paired entities creating a HTML tag are
 + * usually decoded, i.e. a lone > is not decoded, but <foo> would
 + * be decoded to <foo> since it creates a full tag.
 + *
 + * Note: This function is poorly explained in the manual - which is really
 + * bad given its potential for misuse on user input already escaped elsewhere.
 + * Stackoverflow is littered with advice to use this function in the precise
 + * way that would lead to user input being capable of injecting arbitrary HTML.
 + *
 + * @param string $string
 + *
 + * @return string
 + *
 + * @author Pádraic Brady
 + * @copyright Copyright (c) 2010 Pádraic Brady (http://blog.astrumfutura.com)
 + * @license Released under dual-license GPL2/MIT by explicit permission of Pádraic Brady
 + *
 + * @access private
 + */
 +function _elgg_html_decode($string) {
 +      $string = str_replace(
 +              array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'),
 +              array('&amp;gt;', '&amp;lt;', '&amp;amp;', '&amp;quot;', '&amp;#039;'),
 +              $string
 +      );
 +      $string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
 +      $string = str_replace(
 +              array('&amp;gt;', '&amp;lt;', '&amp;amp;', '&amp;quot;', '&amp;#039;'),
 +              array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'),
 +              $string
 +      );
 +      return $string;
  }
 -/**\r
 - * Initialise the Output subsystem.\r
 - *\r
 - * @return void\r
 - * @access private\r
 - */\r
+ 
 -}\r
++/**
++ * Unit tests for Output
++ *
++ * @param sting  $hook   unit_test
++ * @param string $type   system
++ * @param mixed  $value  Array of tests
++ * @param mixed  $params Params
++ *
++ * @return array
++ * @access private
++ */
++function output_unit_test($hook, $type, $value, $params) {
++      global $CONFIG;
++      $value[] = $CONFIG->path . 'engine/tests/api/output.php';
++      return $value;
++}
++
++/**
++ * Initialise the Output subsystem.
++ *
++ * @return void
++ * @access private
++ */
+ function output_init() {
+       elgg_register_plugin_hook_handler('unit_test', 'system', 'output_unit_test');
++}
+ 
+ elgg_register_event_handler('init', 'system', 'output_init');