Where or what new condition is showing HTML characters?

Hello,
I've had some sites no longer echo back HTML Text as rendered html. This worked fine but now I need use the htmlspecialchars_decode() function to solve the problem. It's a problem as this was not expected and it's disappointing when Customers are the ones making us aware of the change.

Solved as shown:
<?php echo htmlspecialchars_decode($info->getColumnVal("invDescr")); ?>

I guess it's unrealistic to expect rsobj.php automatically re-write with the htmlspecialchars_decode function. So what solutions do we have? Just remember if you work on a page that will render html content from a recordset value, you'll need wrap it in the noted function...

public function getColumnVal($col,$crossSiteProtect=null) {

      if (is_null($crossSiteProtect)) $crossSiteProtect = $this->CrossSiteProtect;

      $colVal = "";

      if (isset($this->Results[$this->Index]) && isset($this->Results[$this->Index][$col])) {

          $colVal = $this->Results[$this->Index][$col];

          if ($crossSiteProtect) $colVal = htmlspecialchars($colVal);

      }

      return $colVal;

    }

The shortcut is to use:

<?php echo $info->getColumnVal("invDescr",false); ?>

You just have to add the extra "false" parameter to tell it to not add the cross site scripting protection on this field.

This is an extremely useful tip, I'd been tearing my hair out for hours trying to get my book descriptions to appear in my table with their lovely html coding intact, and then I finally spotted the crossSite code section in the getColumnVal function and thought 'hmmm, that's a solid lead to search for answers'... and after all that, ",false" is all it takes and everything's lovely again.

I find this rather frustrating. I would prefer the default be to NOT have that feature and be able to add true to enable it. The vast majority of the time, I am displaying stored information that has been vetted, and would only want this protection on occasion. Using the bindings tab does not include a parameter, so I have to add it with nearly every insertion.

I can customize it in rsobj.php, but then any extension update or perhaps (I have not tested), will wipe out the change.

I would like to see a way to change the default behavior at instantiation.

perhaps adding it to the construct function like:
public function __construct($name,$conn,$maxRows=0,$hardLimit=false,$crossSiteProtect=true) {
...$this->CrossSiteProtect = $crossSiteProtect;

Actually, make that
public function __construct($name,$conn,$maxRows=0,$crossSiteProtect=true,$hardLimit=false) {
...$this->CrossSiteProtect = $crossSiteProtect;
because I think the CSP would be changed more often.

Alternatively a setter method to add to the RS code like:
$rs = new WA_MySQLi_RS("events",$conn_i,0);
$rs->CrossSiteProtect(false);

You can add it to the recordset directly just like you referenced in your code. That works. You have three options.

1) update it in the rsobj.php file (it won't be updated unless the version is updated. You can set the version to a very large number and it will never be updated)
2) update it in the recordset with: $rs->CrossSiteProtect = false; (you can do this at any point, even half way down the page if you want)
3) in each reference to $rs->getColumnVal()... you can turn it on in each reference if it is turned off in the rsobj.php or off when you want if it is on in the rsobj.php file