robbieaverill
commented
7 years ago Yes, the result of $this->dbObject('Value') is already XML encoded so we don't need to do it again. It'd be a security risk to avoid this encoding. My inclination would actually be to remote the nl2br altogether and just show encoded HTML.
Reproduced on 4.2.6
Displays HTML entities in the "Submission" table for each submission because ATT() converts the values as such (ref framework/core/Convert.php, function raw2xml()).