Open Power Template 2.x family
PLEASE PROVIDE THE TEMPLATES AND/OR PHP CODE IN THE TASK DESCRIPTION (Not URL-s to them). THAT ALLOWS US TO REPRODUCE THE PROBLEM! OTHERWISE WE ARE NOT ABLE TO HELP YOU!
Remember to hide all the security-related pieces of code from the task description, like passwords, server paths etc. for your own safety. Once we close the task, we cannot edit it anymore!
PLEASE PROVIDE THE TEMPLATES AND/OR PHP CODE IN THE TASK DESCRIPTION (Not URL-s to them). THAT ALLOWS US TO REPRODUCE THE PROBLEM! OTHERWISE WE ARE NOT ABLE TO HELP YOU!
Remember to hide all the security-related pieces of code from the task description, like passwords, server paths etc. for your own safety. Once we close the task, we cannot edit it anymore!
FS#55 - opt:if attributes and opt:on attributes use htmlspecialchars()
Attached to Project:
Open Power Template
Opened by Skruppy (Skrupellos) - Sunday, 22 February 2009, 07:23 GMT-7
Last edited by Zyx (Zyx) - Sunday, 22 February 2009, 23:44 GMT-7
Opened by Skruppy (Skrupellos) - Sunday, 22 February 2009, 07:23 GMT-7
Last edited by Zyx (Zyx) - Sunday, 22 February 2009, 23:44 GMT-7
|
DetailsEXAMPLE:
----- template ----- <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> <opt:root> <opt:if test="$hello eq 'world'"> x </opt:if> <div opt:if="$hello eq 'world'">x</div> <div opt:on="$hello eq 'world'">x</div> </opt:root> ----- END template ----- RESULT: The "opt:if" and "opt:on" attributes surrounding their expression with htmlspecialchars(), the "opt:if" tag doesn't (... and I think the "opt:if" tag is right). The compiler result in the compileDir looks like following: ----- code ----- <?php if($this->_data['hello']=='world'){ ?> x <?php } ?> <?php if(htmlspecialchars($this->_data['hello']=='world')){ ?><div>x</div><?php } ?> <?php $_tag_0 = false; if(htmlspecialchars($this->_data['hello']=='world')){ $_tag_0 = true; ?><div><?php } ?>x<?php if($_tag_0 === true){ } ?></div> ----- END code ----- EXPECTED: No htmlspecialchars() in the compiler result. ----- code ----- <?php if($this->_data['hello']=='world'){ ?> x <?php } ?> <?php if($this->_data['hello']=='world'){ ?><div>x</div><?php } ?> <?php $_tag_0 = false; if($this->_data['hello']=='world'){ $_tag_0 = true; ?><div><?php } ?>x<?php if($_tag_0 === true){ } ?></div> ----- END code ----- SOLUTION: Add "Opt_Compiler_Class::ESCAPE_OFF" in Opt/Instruction/If.php on line 75 and line 85 as third parameter to compileExpression(). REMARK: - I have looked only in If.php for this problem, other opt attributes may also be affected. - In the code samples is also an other problem: see my next PR :-) |
This task depends upon
Closed by Zyx (Zyx)
Sunday, 22 February 2009, 23:44 GMT-7
Reason for closing: Fixed
Additional comments about closing: Fixed in rev. 59.
Sunday, 22 February 2009, 23:44 GMT-7
Reason for closing: Fixed
Additional comments about closing: Fixed in rev. 59.
Comment by Zyx (Zyx) -
Sunday, 22 February 2009, 07:30 GMT-7
Confirmed, opt:if and opt:on forget to set the flag that the escaping should not be done by the expression compiler. Will be fixed soon.