Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
See attached screenshot
Comment | File | Size | Author |
---|---|---|---|
#2 | 1089328-fixing-double-escaped-title-2-D7.patch | 967 bytes | recrit |
Product reference escaping.png | 19.33 KB | rupertj |
Comments
Comment #1
rupertj CreditAttribution: rupertj commentedForgot to add: The titles of these products were just entered as "A day's subscription to the site", etc. I'm not trying to type anything weird in ;)
Comment #2
recrit CreditAttribution: recrit commentedthe title is getting double escaped in commerce_product_reference_options_list() since sku and title get escaped already in commerce_product_match_products() via _commerce_product_match_products_standard().
The attached patch removes the escaping in commerce_product_reference_options_list().
The patch is a -p0 patch.
Comment #3
pcambraComment #4
essbee CreditAttribution: essbee commentedPatch applied, fixed my display issues.
Comment #5
rszrama CreditAttribution: rszrama commentedHmm, actually, they get sanitized through the "rendered" key in the return value, but the individual values themselves aren't sanitized that I see. I could be missing it given the late hour, of course. I wonder if instead it's the options list function that invokes this callback performing the duplicate sanitization... will have to look into it tomorrow.
Comment #6
bc24102 CreditAttribution: bc24102 commentedApplied the patch, but it didn't work for me. I am running the latest dev version of drupal commerce.
Edit: When adding a product to the product reference field in the edit form it displays properly. However, the entities are not escaped when actually looking at the product.
Comment #7
bc24102 CreditAttribution: bc24102 commentedAs I mentioned before my problem was actually that html entities were not displaying properly in the add to cart form.
I believe I have found the problem. Here is my fix for it.
commerce_cart.module line 1469
Please check into this to make sure everything is working properly.
Comment #8
fonant CreditAttribution: fonant commentedThe array of '#options' form a Drupal select element gets passed though check_plain() inside the form_select_options() function in includes/form.inc. So the option values should not be passed through check_plain() when defining the select form element.
The code at line 1648 to 1650 in
commerce_cart.module
should be changed from:to
and the code from 1676 to 1678 should similarly read as follows, without the check_plain():
Edit: This is the fix for the comment above, which isn't actually the same bug as originally described in this issue. To be more correct I've created a new issue for the Add to cart form bug that this solves here: #1365202: Add to Cart form select list double-escapes HTML entities
Comment #9
mr.baileysMarked #1365202: Add to Cart form select list double-escapes HTML entities as a duplicate.
Comment #10
dpolant CreditAttribution: dpolant commentedRegarding #7, I think this introduces an xss risk because essentially you are just reversing the check_plain. To see this, try
dpm(htmlspecialchars_decode(check_plain('<script>alert("hi")</script>')));
- it will print the script (although dpm() makes it harmless by wrapping it in<pre>
tags).My instinct would be to use
filter_xss($input, array())
to filter the titles that get displayed in this and similar cases, passing in an empty array for the$allow_tags
parameter to ensure that no html gets inserted inside option tags.Comment #11
rszrama CreditAttribution: rszrama commentedOk, I did commit Fonant's fix with documentation in #1365202: Add to Cart form select list double-escapes HTML entities. This issue is concerned with the select list options for the product reference field, and I did reproduce the problem of double sanitization in commerce_product_reference_options_list(). However, it's worth noting that this one hook is used to generate the options list for select lists, which will have their options sanitized, and radio buttons / checkboxes, which won't. This means we need to change this is in such a way that it preserves sanitization unless we detect the
$instance['widget']['type'] == 'options_select'
. That's what I've done, and it's worth noting that you actually are responsible for sanitizing optgroup values even in select lists.In testing I also turned up a similar issue in the menu item title for adding products where we were sanitizing the product type title in the menu item even though it gets sanitized by Drupal as a menu item and a page title.
Commit: http://drupalcode.org/project/commerce.git/commitdiff/3171623