EZP-27171: Fix escaping for custom tag attribute values #1289
The ezxmltext datatype allows editors to embed custom tags. For example the 'factbox'. A custom tag may have input fields allowing the editor to type in text. For example 'Title' for the 'factbox'.
If you type in a " (double-quote) char into the custom tag field, it is getting encoded twice before the value gets stored in the database. That's problematic because the template that renders the custom tag is not receiving the " char but '"' instead.
Steps to reproduce the issue:
More details where the problem is:
When you hit 'Send for publishing', the HTML form will send all attribute values of the content object to the server. In case of the xmltext attributes, it sends an HTML string. In my test I added a custom tag 'factbox' - the HTML string looks similar to:
For the title field, I typed in "page.html" (with quotes). You can see that those double-quotes are escaped. That's good, otherwise it would break the HTML string (doube-quote in an HTML attribute value).
This HTML string is send to:
That class turns the HTML into an XML format. That XML string is getting stored in the database. In case of my example, that's what you get in the DB:
Here you can see the problem:
That " char gets encoded twice:
There is no good reason for the double-encoding. In XML, you are allowed to have the string " as an attribute value.
The double encoding happens in
setAttribute is escaping the given $value - see http://stackoverflow.com/questions/7294134/php-xml-dom-unwanted-escaping-characters-i-cannot-write-qnot
I changed it to
That will avoid the double-encoding and will render the correct value in the templates.
kmadejski left a comment
I see in JIRA that this is already approved by QA: https://jira.ez.no/browse/EZP-27171?focusedCommentId=211187&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-211187