Fix fetching OPML url with special characters (#7843)

* Decode dynamic OPML url during fetch

* add ENT_QUOTES

* Store as plaintext instead of decoding

app/Controllers/categoryController.php

@@ -59,7 +59,7 @@ class FreshRSS_category_Controller extends FreshRSS_ActionController {
 				Minz_Request::bad(_t('feedback.tag.name_exists', $cat->name()), $url_redirect);
 			}
 
-			$opml_url = checkUrl(Minz_Request::paramString('opml_url'));
+			$opml_url = checkUrl(Minz_Request::paramString('opml_url', plaintext: true));
 			if ($opml_url != '') {
 				$cat->_kind(FreshRSS_Category::KIND_DYNAMIC_OPML);
 				$cat->_attribute('opml_url', $opml_url);
@@ -137,7 +137,7 @@ class FreshRSS_category_Controller extends FreshRSS_ActionController {
 			$position = Minz_Request::paramInt('position') ?: null;
 			$category->_attribute('position', $position);
 
-			$opml_url = checkUrl(Minz_Request::paramString('opml_url'));
+			$opml_url = checkUrl(Minz_Request::paramString('opml_url', plaintext: true));
 			if ($opml_url != '') {
 				$category->_kind(FreshRSS_Category::KIND_DYNAMIC_OPML);
 				$category->_attribute('opml_url', $opml_url);

app/views/helpers/category/update.phtml

@@ -51,7 +51,7 @@
 					<label class="group-name" for="opml_url"><?= _t('sub.category.opml_url') ?></label>
 					<div class="group-controls">
 						<div class="stick">
-							<input id="opml_url" name="opml_url" type="url" autocomplete="off" class="long" data-disable-update="refreshOpml" value="<?= $this->category->attributeString('opml_url') ?>" />
+							<input id="opml_url" name="opml_url" type="url" autocomplete="off" class="long" data-disable-update="refreshOpml" value="<?= htmlspecialchars($this->category->attributeString('opml_url') ?? '', ENT_COMPAT, 'UTF-8') ?>" />
 							<button type="submit" class="btn" id="refreshOpml" formmethod="post" formaction="<?= _url('category', 'refreshOpml', 'id', $this->category->id()) ?>">
 								<?= _i('refresh') ?> <?= _t('gen.action.refresh_opml') ?>
 							</button>