Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-11532

Adopt escape-on-output pattern

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 4.3.0
    • Fix Version/s: Unscheduled
    • Component/s: Core CiviCRM
    • Labels:
      None
    • Versioning Impact:
      Patch (backwards-compatible bug fixes)

      Description

      The current design seems to have been adopted in

      http://issues.civicrm.org/jira/browse/CRM-5667

      and implemented by changing packages/HTML/QuickForm.php.

      How is this working? Most forms call HTML_QuickForm::exportValues(). exportValues() includes a hard-coded list of HTML-enabled fields ($skipFields) which are not subject to any escaping. All other fields are passed to HTML_QuickForm::filterValue() which does a simple str_replace for "<" and ">" characters. The SVN history for that line shows a series of consecutive changes with more or less encoding, so the current escaping seems to be the outcome of some work.

      The solution is somewhat buggy – e.g. if a user types "<" into some field, saves, and then go back to edit the field, it will redisplay "&lt". There are similar bugs if you export data in any non-HTML medium (e.g. CSV, API, SQL).

      To resolve these issues, we should switch from the escape-on-input pattern to escape-on-output.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              timotten Tim Otten
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: