Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.When I publish using ecto, every apostrophe is returned to ecto as #039.
* The escaped code does not appear on the Drupal site.
* The escaped code does not appear on ecto itself ... until it downloads the node back to its local archive.
In other words, the apostrophes are passed back to ecto as #039.
This in and of itself may seem like no big deal. However, if I edit the node and re-upload, I have to do a search/replace of all the codes, or they will appear as #039 within the Drupal site itself.
This does not happen with quotation marks, smart quotes or any other character (as far as I know). I went back and forth with Adriaan at ecto about this, and he determined it to be Drupal's doing.
I never noticed this before, and suspect it might have crept in during the xmlrpc-related updates. I should have reported this earlier. My apologies.
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | xmlrpc-quotes.patch | 624 bytes | walkah |
| #2 | xmlrpc-entquotes.patch | 634 bytes | walkah |
Comments
Comment #1
laura s CreditAttribution: laura s commentedChanging to correct version, noting that I did not notice this behavior until 4.6.3, perhaps 4.6.2 (not sure on that part). Sorry for the mismarking.
Comment #2
walkah CreditAttribution: walkah commentedhm... I had thought we fixed this. The error is that xmlrpc.inc uses check_plain (which calls htmlentities() with ENT_QUOTES)... while this is good for XSS prevention ... it's a bit too strong for XMLRPC. attached is a patch which fixes the issue (by replacing check_plain by just a raw htmlentities).
Please apply to both HEAD & DRUPAL-4-6
Comment #3
Dries CreditAttribution: Dries commentedWe decided to undo that patch for reasons I can't remember. Maybe it's worth searching for that old issue.
Comment #4
walkah CreditAttribution: walkah commentedI did search for it and couldn't find it... I actually thought we applied this patch.
The issue is that check_plain is htmlencoding single quotes (') ... which is a) unneccesary for XML and b) very confusing for users trying to use blogapi .
Comment #5
Steven CreditAttribution: Steven commented-1, htmlentities() should never be used because it breaks UTF-8 (and escapes a bunch of stuff unnecessarily). Use htmlspecialchars() instead.
I still believe that clients which cannot interpret entities are messed up and need to be fixed. It means they are not valid XML parsers, but hackjobs. And XML is very specific about what an XML parser should support.
What happens when you use non-ASCII characters in these broken clients? If they don't handle entities, I assume the program's never even heard of encodings?
Oh and the reason we undid that patch is XSS protection. If we don't escape apostrophes, there might be issues in contrib modules or themes.
Comment #6
Steven CreditAttribution: Steven commentedComment #7
walkah CreditAttribution: walkah commentedok. this issue still needs fixing... I have changed the patch to use htmlspecialchars rather than htmlentities...
a quick check of some utf8 chars - they seem to pass ok.
This still needs to be committed, allow me to quote the xmlrpc spec (http://www.xmlrpc.com/spec):
this issue shows up in a vast number of blogging clients. please commit.
Comment #8
walkah CreditAttribution: walkah commentedfeeling bold :)
Comment #9
walkah CreditAttribution: walkah commentedComment #10
Steven CreditAttribution: Steven commentedCommitted to HEAD. Ho, ho, ho.
Comment #11
(not verified) CreditAttribution: commentedComment #12
sun5 years later, I'm going to revert this patch over in #882298: XML-RPC request (string) values are not safe for UTF-8