Details
-
Bug
-
Resolution: Fixed
-
Medium
-
4.0.1
-
None
Description
If an attribute content contains just '&'
this attribute cannot be serialized by eZDataType::serializeContentObjectAttribute()
(because wrong xml will be produced)
For example:
There is bug.xml file:
<?xml version="1.0" encoding="utf-8"?> <object> <attribute name="Kode" type="eztext"> <text> A & C </text> </attribute> </object>
and php script:
<?php $filename = 'bug.xml'; $dom = new DOMDocument( '1.0', 'utf-8' ); $dom->preserveWhiteSpace = false; $dom->load( $filename ); var_dump( $dom->saveXML() ); ?>
Output will be:
Warning: DOMDocument::load(): xmlParseEntityRef: no name in bug.xml, line: 6 in x.php on line 5 string(39) "<?xml version="1.0" encoding="utf-8"?> "
The same thing exists in kernel/classes/ezdatatype.php: eZDataType::serializeContentObjectAttribute() :
... $value = $objectAttribute->attribute( $attributeName ); unset( $attributeNode ); $attributeNode = $dom->createElement( $xmlName, (string)$value ); $node->appendChild( $attributeNode ); ...
$value variable can contains ampersands and should be escaped there before creating xml element.
Proposed fix:
Change
$attributeNode = $dom->createElement( $xmlName, (string)$value );
to
$attributeNode = new DOMElement( $xmlName, (string)$value ); $attributeNode = $dom->importNode( $attributeNode ); if ( !empty( $value ) ) { $attributeNode->appendChild( new DOMText( $value ) ); }
or
$attributeNode = $dom->createElement( $xmlName, htmlentities( $value ) );
Steps to reproduce
Create object with eztext attribute.
Store & as content of this eztext attribute
Create a package based on this object.
Try to install this package.
Package should not be installed due to wrong xml stored in /var/storage/packages/[REPOS_ID]/[NAME]/contentobjects.xml file.