Safer htmlspecialchars_utf8 (#4411)

* Safer htmlspecialchars_utf8
#fix https://github.com/FreshRSS/FreshRSS/issues/4410

* Undefined variable

app/Models/Context.php

@@ -43,6 +43,7 @@ class FreshRSS_Context {
 	public static $state = 0;
 	public static $order = 'DESC';
 	public static $number = 0;
+	/** @var FreshRSS_BooleanSearch */
 	public static $search;
 	public static $first_id = '';
 	public static $next_id = '';
@@ -114,6 +115,8 @@ class FreshRSS_Context {
 			return false;
 		}
 
+		FreshRSS_Context::$search = new FreshRSS_BooleanSearch('');
+
 		//Legacy
 		$oldEntries = (int)FreshRSS_Context::$user_conf->param('old_entries', 0);
 		$keepMin = (int)FreshRSS_Context::$user_conf->param('keep_history_default', -5);

app/layout/header.phtml

@@ -15,8 +15,9 @@
 		<?php if (FreshRSS_Auth::hasAccess() || FreshRSS_Context::$system_conf->allow_anonymous) { ?>
 		<form action="<?= _url('index', 'index') ?>" method="get">
 			<div class="stick">
-				<input type="search" name="search" id="search" class="extend" value="<?php
-					echo htmlspecialchars(htmlspecialchars_decode(FreshRSS_Context::$search, ENT_QUOTES), ENT_COMPAT, 'UTF-8'); ?>" placeholder="<?= _t('gen.menu.search') ?>" />
+				<input type="search" name="search" id="search" class="extend"
+					value="<?= htmlspecialchars(htmlspecialchars_decode(FreshRSS_Context::$search, ENT_QUOTES), ENT_COMPAT, 'UTF-8') ?>"
+					placeholder="<?= _t('gen.menu.search') ?>" />
 
 				<?php $get = Minz_Request::param('get', ''); ?>
 				<?php if ($get != '') { ?>

lib/Minz/Helper.php

@@ -16,7 +16,10 @@ class Minz_Helper {
 	public static function htmlspecialchars_utf8($var) {
 		if (is_array($var)) {
 			return array_map(array('Minz_Helper', 'htmlspecialchars_utf8'), $var);
+		} elseif (is_string($var)) {
+			return htmlspecialchars($var, ENT_COMPAT, 'UTF-8');
+		} else {
+			return $var;
 		}
-		return htmlspecialchars($var, ENT_COMPAT, 'UTF-8');
 	}
 }