How about we just introduce a Html::escape to escape for escaping of text
to include into html chunks (not attributes, just html; attributes should
always be required to pass through Html::expandAttributes.
I'm not sure what the relevance of $wgContLang->normalize is. It's not
applicable to html escaping. Xml.php just uses it to make sure that
invalid UTF-8 is not outputted by normalizing the binary, likely so that
XML processors won't choke.
Now for permitting a " " inside text this is done completely
differently, and not done using htmlspecialchars.
We have a method that does exactly this type of escaping called
Sanitizer::escapeHtmlAllowEntities, however that method uses
htmlspecialchars to do the escaping (and we can't be sure it would be safe
to make it stop escaping quotes so we can't update it to use Html::escape
later). However this method is really just a shortcut that makes calls to
two methods.
The proper way to permit " " inside text to be escaped is to use
`Sanitizer::decodeCharReferences( $text );`. This will decode those
character references converting them into real UTF-8 so they can be safely
passed through. Then you just pass the text to the proper html escaping
method -- which in the future would be Html::escape.
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]