Inside commerce_customer_commerce_checkout_pane_info() the title is ran through check_plain but in commerce_checkout_form() it is also ran through check_plain().

I'm assuming the one in commerce_customer_commerce_checkout_pane_info was a mistake so attaching a patch to remove it....

#1 commerce-double_check_plain-1883308-1.patch745 bytesmjpa
PASSED: [[SimpleTest]]: [MySQL] 3,570 pass(es). View
Members fund testing for the Drupal project. Drupal Association Learn more


mjpa’s picture

Status: Active » Needs review
745 bytes
PASSED: [[SimpleTest]]: [MySQL] 3,570 pass(es). View

The patch...

Cottser’s picture

Status: Needs review » Reviewed & tested by the community

Very timely, I was just coming here to report the same issue after digging through commerce_customer and i18n.

Without the patch you can end up with panes titled like "Adresse d'expédition".

Thanks @mjpa!

Steps to reproduce:

  1. Install Commerce Kickstart with Localization enabled.
  2. Add a new language.
  3. Navigate to admin/config/regional/translate/translate and translate "Billing information" or "Shipping information" to something that has an apostrophe or ampersand in it.
  4. View the checkout form in the new language you added. The apostrophes, ampersands, etc. are double encoded.
rszrama’s picture

Status: Reviewed & tested by the community » Fixed

Found another instance in the checkout pane settings form where we used check_plain() for a select form element's options list, which also resulted in double sanitization. Thanks, mjpa!


Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.