If an HTML character, like '&', is inserted into a customer profile field we're seeing this error when creating an Authorize.net CIM profile:
Warning: SimpleXMLElement::addChild(): unterminated entity reference XXX & XXXX in commerce_simplexml_add_children() (line 953 of ...sites/all/modules/contrib/commerce/commerce.module).
I've created a patch that escapes the $value var when its added to the XML doc.
If the commerce_authnet module should be escaping the data before passing it to the commerce_simplexml_add_children() function I will move my bug report over to there.
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | commerce-xml_ampersand_escaping-2314151-3.patch | 459 bytes | michfuer |
| #2 | unterminated-entity-reference-2314151-2.patch | 472 bytes | epicflux |
| unterminated-entity-reference-commerce_simplexml_add_children.patch | 438 bytes | epicflux |
Comments
Comment #1
epicflux commentedComment #2
epicflux commentedI've updated this patch to call htmlspecialchars directly with the $double_encode parameter set to FALSE.
Comment #4
michfuer commentedNot sure why patch 2 failed the SimpleTest. Here's an alternative method from stack overflow http://stackoverflow.com/questions/17027043/unterminated-entity-referenc..., which should accomplish the same thing.
Comment #5
rszrama commentedTagging for http://contribkanban.com/#/board/commerce/7.x-1.x.
Comment #6
rszrama commentedI went ahead and committed epicflux's patch. I'm not sure what answer you were looking at, Mike, but your patch changes the XML by adding a value child node to every element. No bueno.