 |
Ubercart |
|
|
|
||
|
Wed, 10/29/2008 - 19:52
 Hi, I have some products that have text fields for information entry. When somebody uses an & (ampersand) it shows up as "&" in checkout. Obviously I know what that means but some people might see that and now complete their order because it looks like an error as the fields are character sensitive and used in printing products for them. Is there a way to fix it to where if they enter an "&" in an attribute text field it shows as an "&" in the review order page? Thanks!    
Re: Ampersand and Product Attributes
I don't know of an easy way to fix this, but if you come up with one please let us know, and post it to the issue queue. 
Re: Re: Ampersand and Product Attributes
You can call html_entity_decode() on the attribute text before displaying it. You can do this in theme_cart_review_table() of uc_cart_checkout_pane.inc by changing: <?phpto... <?php
Re: Re: Re: Ampersand and Product Attributes
But I guess that nullifies the security added with the check_plain() call on the value entered by the user...
Re: Re: Re: Re: Ampersand and Product Attributes
Actually, the problem here is that the attribute value gets check_plain() called twice on it, which means htmlspecialchars() gets called twice and causes the output you are seeing. _uc_cart_product_get_options() calls check_plain() on the attribute name. theme('item_list') calls drupal_attributes() for each attribute and in that call check_plain() is called again. You cannot simply remove the check_plain() call from _uc_cart_product_get_options though because then the /cart page produces output without check_plain() never called on it and that creates a xss vulnerability. So I believe the solution will involve taking the check_plain out of _uc_cart_product_get_options() and then adding it at the theme level for the /cart page and anywhere else that attributes are displayed and not sanitized for output...or something to that effect.
Re: Re: Re: Re: Re: Ampersand and Product Attributes
So....Is there a definitive answer? I'm having trouble understanding all that was said. Thanks for checking it out.
Re: Re: Re: Re: Re: Re: Ampersand and Product Attributes
If you need a fix right now, that original suggestion would work, but it involves hacking ubercart...and that is bad. I posted an issue at http://drupal.org/node/328659 so hopefully that gets looked at and then all you need to do is download the next UC version to get it working.  
Re: Re: Re: Re: Re: Re: Re: Ampersand and Product Attributes
As noted in the issue, this was fixed in the Bazaar version. The problem wasn't theme_item_list(), but the t() call before it. uc_product_cart_display() was used to create the cart pane and block, and it wasn't using t() this way. Using @ in t() strings runs check_plain() on those replacements, so that's what needs to happen instead of the check_plain() in uc_cart_get_product_options().
Re: Re: Re: Re: Re: Re: Re: Re: Ampersand and Product Attributes
So what do I need to do with my installation? I have actually never heard of the Bazaar version :-/.
Re: Re: Re: Re: Re: Re: Re: Re: Re: Ampersand and Product Attrib
You can get the ubercart-6.x-2.x download from bazaar.ubercart.org, or wait until tomorrow for it on drupal.org, since I just pushed this change (and a bunch of others) to CVS there.
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Ampersand and Product At
We're on Drupal 5.x. (Ubercart 1.x). Is there a way to fix without hacking Ubercart core for this version?
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Ampersand and Produc
The latest version (http://drupal.org/node/360002) has this fix in it. |
|
