From 02dcf2a9264a4858b3eda41ff9cf65b44014e469 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 17 Oct 2022 12:21:47 +0200
Subject: [PATCH] Fixes #5203

---
 lib/core/settings.py | 2 +-
 tamper/htmlencode.py | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/core/settings.py b/lib/core/settings.py
index d0221891f..cda640037 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from thirdparty import six
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.6.10.6"
+VERSION = "1.6.10.7"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/tamper/htmlencode.py b/tamper/htmlencode.py
index ef66b24bb..b9a772511 100644
--- a/tamper/htmlencode.py
+++ b/tamper/htmlencode.py
@@ -20,6 +20,12 @@ def tamper(payload, **kwargs):
 
     >>> tamper("1' AND SLEEP(5)#")
     '1&#39;&#32;AND&#32;SLEEP&#40;5&#41;&#35;'
+    >>> tamper("1&#39;&#32;AND&#32;SLEEP&#40;5&#41;&#35;")
+    '1&#39;&#32;AND&#32;SLEEP&#40;5&#41;&#35;'
     """
 
-    return re.sub(r"[^\w]", lambda match: "&#%d;" % ord(match.group(0)), payload) if payload else payload
+    if payload:
+        payload = re.sub(r"&#(\d+);", lambda match: chr(int(match.group(1))), payload)      # NOTE: https://github.com/sqlmapproject/sqlmap/issues/5203
+        payload = re.sub(r"[^\w]", lambda match: "&#%d;" % ord(match.group(0)), payload)
+
+    return payload