From 0c0c4c5f3654461c387e254020eaa99288da92c5 Mon Sep 17 00:00:00 2001
From: Nate <github@najo.com>
Date: Tue, 31 Dec 2019 07:19:51 -0700
Subject: [PATCH] Variables/Modules: Replace url encoding in select box
 options.

---
 app/vars/vars.php       | 2 +-
 resources/functions.php | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/vars/vars.php b/app/vars/vars.php
index c92c9bc520..9d77655dea 100644
--- a/app/vars/vars.php
+++ b/app/vars/vars.php
@@ -233,7 +233,7 @@
 				echo $text['label-'.$row['var_enabled']];
 			}
 			echo "	</td>\n";
-			echo "	<td class='description overflow hide-sm-dn'>".escape($row['var_description'])."</td>\n";
+			echo "	<td class='description overflow hide-sm-dn'>".escape(base64_decode($row['var_description']))."</td>\n";
 			if (permission_exists('var_edit') && $_SESSION['theme']['list_row_edit_button']['boolean'] == 'true') {
 				echo "	<td class='action-button'>\n";
 				echo button::create(['type'=>'button','title'=>$text['button-edit'],'icon'=>$_SESSION['theme']['button_icon_edit'],'link'=>$list_row_url]);
diff --git a/resources/functions.php b/resources/functions.php
index 74a8a11ca3..2dd01219ed 100644
--- a/resources/functions.php
+++ b/resources/functions.php
@@ -301,9 +301,9 @@
 
 			$html = "<table border='0' cellpadding='1' cellspacing='0'>\n";
 			$html .= "<tr>\n";
-			$html .= "<td id=\"cell".urlencode($field_name)."1\">\n";
+			$html .= "<td id=\"cell".escape($field_name)."1\">\n";
 			$html .= "\n";
-			$html .= "<select id=\"".urlencode($field_name)."\" name=\"".urlencode($field_name)."\" class='formfld' onchange=\"if (document.getElementById('".$field_name."').value == 'Other') { /*enabled*/ document.getElementById('".$field_name."_other').style.display=''; document.getElementById('".$field_name."_other').className='formfld'; document.getElementById('".$field_name."_other').focus(); } else { /*disabled*/ document.getElementById('".$field_name."_other').value = ''; document.getElementById('".$field_name."_other').style.display='none'; } \">\n";
+			$html .= "<select id=\"".escape($field_name)."\" name=\"".escape($field_name)."\" class='formfld' onchange=\"if (document.getElementById('".$field_name."').value == 'Other') { /*enabled*/ document.getElementById('".$field_name."_other').style.display=''; document.getElementById('".$field_name."_other').className='formfld'; document.getElementById('".$field_name."_other').focus(); } else { /*disabled*/ document.getElementById('".$field_name."_other').value = ''; document.getElementById('".$field_name."_other').style.display='none'; } \">\n";
 			$html .= "<option value=''></option>\n";
 
 			$sql = "select distinct(".$field_name.") as ".$field_name." ";
@@ -313,7 +313,7 @@
 			if (is_array($result) && @sizeof($result) != 0) {
 				foreach($result as $field) {
 					if (strlen($field[$field_name]) > 0) {
-						$html .= "<option value=\"".urlencode($field[$field_name])."\" ".($field_current_value == $field[$field_name] ? "selected='selected'" : null).">".urlencode($field[$field_name])."</option>\n";
+						$html .= "<option value=\"".escape($field[$field_name])."\" ".($field_current_value == $field[$field_name] ? "selected='selected'" : null).">".escape($field[$field_name])."</option>\n";
 					}
 				}
 			}