Pontoporeia b0632b4772 fix(formulaire): remove htmlspecialchars from sanitize_string + delete dead $problematique ...

HTML-escaping at write time stores &, < etc. in the DB, corrupting full-text
search, tag matching, exports, and any non-HTML consumer. PDO parameterised queries
already prevent SQL injection; templates call htmlspecialchars() on output.

sanitize_string() now does strip_tags(trim()) only — matching the pattern already
used by edit.php which never had this bug.

Also deleted the dead $problematique variable (read from POST[problématique] but
never passed to any INSERT or used anywhere in the codebase).

2026-03-27 23:16:12 +01:00

14 KiB

Raw Blame History

View Raw