Defect #852

Values containing & are truncated

Added by Portier Thomas about 4 years ago. Updated about 3 years ago.

Status:ClosedStart date:10/31/2014
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:CATALOG
Target version:4.2.4
Affected version:4.2.0

Description

When I edit a metadata and I fill a field with a & value, after saving, the value is truncated.

exemple :
If I fill : http://localhost/geoserver/wms?service=WMS&request=gestCapabilities
The value saved is http://localhost/geoserver/wms?service=WMS

I think I found a solution. In components\com_easysdi_catalog\controllers\metadata.php on line 545

I replaced $element->nodeValue = $value; by $element->nodeValue = htmlspecialchars($value);

Before commiting it, I would like to verify if this is the good way to fix the bug?

What do you think?


Related issues

Related to easySDI - Defect #778: Catalog search form: list containing ampersand crashes Closed
Blocks easySDI - Feature #878: Removing applications' management Accepted 12/02/2014

History

#1 Updated by Van Hoecke Hélène about 4 years ago

  • Target version deleted (157)

#2 Updated by Magoni Bruno about 4 years ago

  • Related to Defect #778: Catalog search form: list containing ampersand crashes added

#3 Updated by Magoni Bruno about 4 years ago

  • Assignee changed from Technical Committee to Battaglia Marc

A better way seems to read carefully PHP doc related to #778 before using encoding/decoding stuff...

#4 Updated by Blatti Yves about 4 years ago

Just some inputs on this thing:

A little test I made in the past for #778 (adapted), input is always 'foo&bar'

<?php
//doc
$doc  = new DOMDocument('1.0', 'utf-8');
$doc->formatOutput = true;
//root
$root = $doc->createElementNS('http://da.ns', 'root');
$doc->appendChild($root);
$root->setAttributeNS('http://www.w3.org/2000/xmlns/' ,'xmlns:demo', 'http://foo.bar');

$root->appendChild($doc->createComment('1) ------- createElementNS with value content : fails'));
$item = $doc->createElementNS('http://foo.bar', 'demo:creatElement-OneLine', 'foo&bar');
$root->appendChild($item);

$root->appendChild($doc->createComment('2) ------- createElementNS with value content + htmlspecialchars : pass (Thomas proposal : php level)'));
$item = $doc->createElementNS('http://foo.bar', 'demo:creatElement-OneLine', htmlspecialchars('foo&bar'));
$root->appendChild($item);

$root->appendChild($doc->createComment('3) ------- createElementNS then set nodeValue : fails'));
$item2 = $doc->createElementNS('http://foo.bar', 'demo:creatElement-nodeValue');
$item2->nodeValue = 'foo&bar';
$root->appendChild($item2);

$root->appendChild($doc->createComment('4) ------- createElementNS with createTextNode : pass (My preference : libXml level)'));
$item3a = $doc->createElementNS('http://foo.bar', 'demo:creatElement-createTextNode');
$item3b = $doc->createTextNode ('foo&bar');
$item3a->appendChild($item3b);
$root->appendChild($item3a);

//look pretty in html
echo '&lt;pre&gt;';
echo htmlspecialchars($doc-&gt;saveXML());
echo '&lt;/pre&gt;';
?&gt;

outputs:

<?xml version="1.0" encoding="utf-8"?>
<root xmlns="http://da.ns" xmlns:demo="http://foo.bar">
  <!--1) ------- createElementNS with value content : fails-->
  <demo:creatElement-OneLine>foo</demo:creatElement-OneLine>
  <!--2) ------- createElementNS with value content + htmlspecialchars : pass (Thomas proposal : php level)-->
  <demo:creatElement-OneLine>foo&amp;bar</demo:creatElement-OneLine>
  <!--3) ------- createElementNS then set nodeValue : fails-->
  <demo:creatElement-nodeValue>foo</demo:creatElement-nodeValue>
  <!--4) ------- createElementNS with createTextNode : pass (My preference : libXml level)-->
  <demo:creatElement-createTextNode>foo&amp;bar</demo:creatElement-createTextNode>
</root>

Explanations comes from PHP source code and libXML API:

PHP's createTextNode uses libXML xmlNewDocText
(see PHP_FUNCTION(dom_document_create_text_node) here)

but PHP's createElementNS uses libXML xmlNewDocNode
(see PHP_FUNCTION(dom_document_create_element_ns) here)
libXML API specifies :

Creation of a new node element within a document. @ns and @content are optional (NULL).
NOTE: @content is supposed to be a piece of XML CDATA, so it allow entities references, but XML special chars
need to be escaped first by using xmlEncodeEntitiesReentrant().[...]

So my personal preference would go to my example N°4 using : createTextNode. But serious doc reading is still necessary ...

REF: A (rejected) php bug, with some inputs : https://bugs.php.net/bug.php?id=31613#1106271770)

#5 Updated by Magoni Bruno almost 4 years ago

  • Related to Feature #878: Removing applications' management added

#6 Updated by Magoni Bruno almost 4 years ago

  • Affected version changed from to 4.2.0

#7 Updated by Magoni Bruno almost 4 years ago

  • Related to deleted (Feature #878: Removing applications' management)

#8 Updated by Magoni Bruno almost 4 years ago

  • Blocks Feature #878: Removing applications' management added

#9 Updated by Magoni Bruno almost 4 years ago

Reading doc and to have similar logical with #778 fix, I would suggest to use createTextNode method

#10 Updated by Portier Thomas almost 4 years ago

  • Status changed from New to Affected
  • Assignee changed from Battaglia Marc to Portier Thomas
  • Target version set to 4.2.4

#11 Updated by Portier Thomas almost 4 years ago

  • Status changed from Affected to Resolved

#12 Updated by Van Hoecke Hélène almost 4 years ago

  • % Done changed from 0 to 100

#13 Updated by Van Hoecke Hélène almost 4 years ago

  • Status changed from Resolved to Closed

#14 Updated by Van Hoecke Hélène about 3 years ago

  • Assignee deleted (Portier Thomas)

Also available in: Atom PDF