Details
-
Type:
Improvement
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 4.3.0
-
Fix Version/s: Unscheduled
-
Component/s: Core CiviCRM
-
Labels:None
-
Versioning Impact:Patch (backwards-compatible bug fixes)
Description
The current design seems to have been adopted in
http://issues.civicrm.org/jira/browse/CRM-5667
and implemented by changing packages/HTML/QuickForm.php.
How is this working? Most forms call HTML_QuickForm::exportValues(). exportValues() includes a hard-coded list of HTML-enabled fields ($skipFields) which are not subject to any escaping. All other fields are passed to HTML_QuickForm::filterValue() which does a simple str_replace for "<" and ">" characters. The SVN history for that line shows a series of consecutive changes with more or less encoding, so the current escaping seems to be the outcome of some work.
The solution is somewhat buggy – e.g. if a user types "<" into some field, saves, and then go back to edit the field, it will redisplay "<". There are similar bugs if you export data in any non-HTML medium (e.g. CSV, API, SQL).
To resolve these issues, we should switch from the escape-on-input pattern to escape-on-output.