Move around searchTerm escaping, document.

docs/NEWS

@@ -1,8 +1,11 @@
 #
 
-Version 2.0-rc1 (includes beta4/5/6) (December 11th, 2014)
+Version 2.0-rc1 (includes beta4/5/6) (December 19th, 2014)
 ------------------------------------------------------------------------
 
+    * entryproperties plugin will not automatically disable nl2br
+      markup, when the WYSIWYG editor is used to create en entry
+      
     * Fix for syndication subtome onclick handler
     
     * Fix problematic preview stylesheet reference

include/compat.inc.php

@@ -280,11 +280,6 @@ if (empty($_SERVER['REQUEST_URI'])) {
     $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'] . '?' . (!empty($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : '');
 }
 
-// Some security issues
-if (isset($serendipity['GET']['searchTerm'])) {
-    $serendipity['GET']['searchTerm'] = serendipity_specialchars(strip_tags($serendipity['GET']['searchTerm']));
-}
-
 /**
  * Translate values coming from the Database into native PHP variables to detect boolean values.
  *

serendipity_config.inc.php

@@ -432,6 +432,11 @@ if (!isset($serendipity['GET']['adminAction'])) {
     $serendipity['GET']['adminAction'] = (isset($serendipity['POST']['adminAction']) ? $serendipity['POST']['adminAction'] : '');
 }
 
+// Make sure this variable is always properly sanitized. Previously in compat.inc.php, but there LANG_CHARSET was not defined.
+if (isset($serendipity['GET']['searchTerm'])) {
+    $serendipity['GET']['searchTerm'] = serendipity_specialchars(strip_tags($serendipity['GET']['searchTerm']));
+}
+
 // Some stuff...
 if (!isset($_SESSION['serendipityAuthedUser'])) {
     $_SESSION['serendipityAuthedUser'] = false;