New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape characters in log names through quick forms #265
Comments
Thanks for reporting this @Skipper-is ! I finally had some time to dig into this, and I committed a fix: 27f657d Explanation:
This line is actually doing more than it appears. It is not simply replacing https://api.drupal.org/api/drupal/includes%21bootstrap.inc/function/format_string/7.x In general, this is good. Whenever you are outputting user-generated text (in this case the asset names) to the page, you MUST run it through something like https://api.drupal.org/api/drupal/includes%21bootstrap.inc/function/check_plain/7.x In this particular case, however, we DON'T need to do that. Because we are saving the string to the database (in the log name). We are NOT displaying it on the page (that is done later, and is already being sanitized in those cases). Generally speaking, user input should not be sanitized on save... only on display. (Also note: this is not the same as database injection sanitization, which is also already taken care of by Drupal's database query API.) So... I fixed this by changing the (I also refactored the usage of the So you can use the same approach in your custom quick form to avoid this issue as well. |
There are probably other places where we've used |
@Skipper-is also note: I made a few other related changes to the milk quick form that you will want to replicate in your quick form too... |
Oh perfect. The use of the array in the second won't work for mine, as I'm using farm_livestock_weight_set rather than just submitting a quantity |
I'm using the milk quick form to create a log.
If I've got an asset with the name "Marge's kid" , the apostrophe comes out as the escape character, rather than ' in the log title.
This was also an issue in my quick weight form, which was based on the milk log, but when I changed this to the
farm_livestock_weight_set($assets,$qty,$units, $timestamp);
function, it fixed the issue.So the quick milk form is creating a new log with the log name as:
$log_name = t('Milk @asset: @qty @units', array('@asset' => entity_label('farm_asset', $asset), '@qty' => $form_state['values']['quantity'], '@units' => $form_state['values']['units']));
If the livestock_weight_set function is used (in my quick weight form), it does not use entity_label for the asset name, it goes through farm_log_entity_label_summary, but as far as I can see, all this does is pull the label from exactly the same function:
$label = entity_label($entity_type, $entity);
The text was updated successfully, but these errors were encountered: