I found a mildly annoying bug in the admin > catalog > product panel.
If I create a product and give it the name Bamboo 12" Handle and save it, when I return to edit the product the name get's cut of at the quote. So the title now reads Bamboo 12.
I understand the logic of why you would trim the input but is there anyway to work around it without compromising security?
Its a bug.
This and other problems occur when the value of html page elements are set programmatically and that value contains html markup. In the case of text input fields, quotes as well. You need to change the template code to something like the following where ever you want to protect your pages from this. The htmlentities function performs the magic required.
This and other problems occur when the value of html page elements are set programmatically and that value contains html markup. In the case of text input fields, quotes as well. You need to change the template code to something like the following where ever you want to protect your pages from this. The htmlentities function performs the magic required.
Code: Select all
<input name="name[<?php echo $product['language_id']; ?>]" value="<?php echo htmlentities($product['name'], ENT_QUOTES); ?>" />Wouldn't it be better to simply encode the details before inserting them into the database? 
To encode product titles with HTML entitles before inserting them into the database you need to modify /admin/controller/product.php as follows:
Change line 48 from
to
and line 111 from
to
To encode product titles with HTML entitles before inserting them into the database you need to modify /admin/controller/product.php as follows:
Change line 48 from
Code: Select all
$database->query($database->parse($sql, $insert_id, $key, $name[$key], $description[$key]));Code: Select all
$database->query($database->parse($sql, $insert_id, $key, htmlentitles($name[$key], ENT_QUOTES), $description[$key]));Code: Select all
$database->query($database->parse($sql, $request->get('product_id'), $key, $value, $description[$key]));Code: Select all
$database->query($database->parse($sql, $request->get('product_id'), $key, htmlentities($value, ENT_QUOTES), $description[$key]));
Last edited by barns101 on Mon Jun 09, 2008 11:28 pm, edited 1 time in total.
Not in this case. The problem is not with the data. You can already insert these characters into the database. The problem occurs when the characters become part of the html to be displayed.
As per the example given if you enter the value "Shovel, 6' handle and 16" blade." as the description for a product. The data goes into the database correctly. However, it does not display correctly in an input field.
Your approach presumes that the data will only be used to display on an html page. However, if for example it was sent to a payment gateway or an rss feed, you would not want the html entities replaced with their html codes. The target audience in this case would receive what looked like rubbish.
As per the example given if you enter the value "Shovel, 6' handle and 16" blade." as the description for a product. The data goes into the database correctly. However, it does not display correctly in an input field.
Your approach presumes that the data will only be used to display on an html page. However, if for example it was sent to a payment gateway or an rss feed, you would not want the html entities replaced with their html codes. The target audience in this case would receive what looked like rubbish.
Who is online
Users browsing this forum: No registered users and 6 guests
