Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-18867

kernel/shop/userregister.php - text field input is not encoded properly for xml

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: 2011.10, 4.0.7, 4.5.0
    • Fix Version/s: None
    • Component/s: Legacy > Webshop
    • Labels:
      None
    • Environment:

      all ez versions

      Description

      Hi,

      none of the text input of the shop user accounts is encoded properly for xml.

      kernel/shop/userregister.php:
      example:

      $firstName = $http->postVariable( "FirstName" );
      ...
      $firstNameNode = $doc->createElement( "first-name", $firstName );
      $root->appendChild( $firstNameNode );
      
      

      If the text contains html special chars like & " ' < or > the input is not stored properly.

      Fix:

      use htmlspecialchars( $text, ENT_QUOTES, 'UTF-8' );

      and

      kernel/classes/shopaccounthandlers/ezusershopaccounthandler.php
      kernel/classes/shopaccounthandlers/ezsimpleshopaccounthandler.php
      kernel/classes/shopaccounthandlers/ezdefaultshopaccounthandler.php

      needs to be altered to decode the string again with

      html_entity_decode( $text, ENT_QUOTES, 'UTF-8' );

      Best wishes,
      Georg.

      Steps to reproduce

      Enter this in the text fields of the /user/register module:

      Standards & Poor - <here>is something <very> "special'

        Attachments

          Activity

            People

            Assignee:
            unknown unknown
            Reporter:
            emil.webber Georg Franz
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated: