Invenzzia »

IMPORTANT ANNOUNCEMENT

Due to the uncertain status of the Flyspray project, lack of new releases and moving the code repository to Github, we decided to shutdown this issue tracker by the end of January 2011. From that date, the bugs should be reported directly in Github project repositories.

List of repositories:

Open Power Template 2.x family

PLEASE PROVIDE THE TEMPLATES AND/OR PHP CODE IN THE TASK DESCRIPTION (Not URL-s to them). THAT ALLOWS US TO REPRODUCE THE PROBLEM! OTHERWISE WE ARE NOT ABLE TO HELP YOU!

Remember to hide all the security-related pieces of code from the task description, like passwords, server paths etc. for your own safety. Once we close the task, we cannot edit it anymore!
Tasklist

FS#55 - opt:if attributes and opt:on attributes use htmlspecialchars()

Attached to Project: Open Power Template
Opened by Skruppy (Skrupellos) - Sunday, 22 February 2009, 07:23 GMT-8
Last edited by Zyx (Zyx) - Sunday, 22 February 2009, 23:44 GMT-8
Task Type Bug Report
Category Instructions
Status Closed
Assigned To Zyx (Zyx)
Operating System OS-independent
Severity Low
Priority Normal
Reported Version 2.0-beta2
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

EXAMPLE:
----- template -----
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<opt:root>
<opt:if test="$hello eq 'world'">
x
</opt:if>

<div opt:if="$hello eq 'world'">x</div>

<div opt:on="$hello eq 'world'">x</div>
</opt:root>
----- END template -----


RESULT:
The "opt:if" and "opt:on" attributes surrounding their expression with htmlspecialchars(), the "opt:if" tag doesn't (... and I think the "opt:if" tag is right). The compiler result in the compileDir looks like following:
----- code -----
<?php if($this->_data['hello']=='world'){ ?>
x
<?php } ?>

<?php if(htmlspecialchars($this->_data['hello']=='world')){ ?><div>x</div><?php } ?>

<?php $_tag_0 = false; if(htmlspecialchars($this->_data['hello']=='world')){ $_tag_0 = true; ?><div><?php } ?>x<?php if($_tag_0 === true){ } ?></div>
----- END code -----


EXPECTED:
No htmlspecialchars() in the compiler result.
----- code -----
<?php if($this->_data['hello']=='world'){ ?>
x
<?php } ?>

<?php if($this->_data['hello']=='world'){ ?><div>x</div><?php } ?>

<?php $_tag_0 = false; if($this->_data['hello']=='world'){ $_tag_0 = true; ?><div><?php } ?>x<?php if($_tag_0 === true){ } ?></div>
----- END code -----


SOLUTION:
Add "Opt_Compiler_Class::ESCAPE_OFF" in Opt/Instruction/If.php on line 75 and line 85 as third parameter to compileExpression().


REMARK:
- I have looked only in If.php for this problem, other opt attributes may also be affected.
- In the code samples is also an other problem: see my next PR :-)
This task depends upon

Closed by  Zyx (Zyx)
Sunday, 22 February 2009, 23:44 GMT-8
Reason for closing:  Fixed
Additional comments about closing:  Fixed in rev. 59.
Comment by Zyx (Zyx) - Sunday, 22 February 2009, 07:30 GMT-8
Confirmed, opt:if and opt:on forget to set the flag that the escaping should not be done by the expression compiler. Will be fixed soon.

Loading...