Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
2011.10, 4.0.7, 4.5.0
-
None
-
all ez versions
Description
Hi,
none of the text input of the shop user accounts is encoded properly for xml.
kernel/shop/userregister.php:
example:
$firstName = $http->postVariable( "FirstName" ); ... $firstNameNode = $doc->createElement( "first-name", $firstName ); $root->appendChild( $firstNameNode );
If the text contains html special chars like & " ' < or > the input is not stored properly.
Fix:
use htmlspecialchars( $text, ENT_QUOTES, 'UTF-8' );
and
kernel/classes/shopaccounthandlers/ezusershopaccounthandler.php
kernel/classes/shopaccounthandlers/ezsimpleshopaccounthandler.php
kernel/classes/shopaccounthandlers/ezdefaultshopaccounthandler.php
needs to be altered to decode the string again with
html_entity_decode( $text, ENT_QUOTES, 'UTF-8' );
Best wishes,
Georg.
Steps to reproduce
Enter this in the text fields of the /user/register module:
Standards & Poor - <here>is something <very> "special'