Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Inconsistent behavior of Phalcon\Tag::setAutoescape() #1263

Closed
ghost opened this issue Sep 21, 2013 · 3 comments
Closed

[BUG] Inconsistent behavior of Phalcon\Tag::setAutoescape() #1263

ghost opened this issue Sep 21, 2013 · 3 comments

Comments

@ghost
Copy link

ghost commented Sep 21, 2013 

\Phalcon\Tag::setAutoescape(false);
echo \Phalcon\Tag::textField(array('name', 'value' => '&"')), PHP_EOL;

\Phalcon\Tag::setAutoescape(true);
echo \Phalcon\Tag::textField(array('name', 'value' => '&"')), PHP_EOL;

\Phalcon\Tag::setDefault('name', '&"');

\Phalcon\Tag::setAutoescape(false);
echo \Phalcon\Tag::textField(array('name')), PHP_EOL;

\Phalcon\Tag::setAutoescape(true);
echo \Phalcon\Tag::textField(array('name')), PHP_EOL;

produces

<input type="text" value="&amp;&quot;" name="name" id="name" />
<input type="text" value="&amp;&quot;" name="name" id="name" />
<input type="text" name="name" id="name" value="&amp;&quot;" />
<input type="text" name="name" id="name" value="&amp;#x26;&amp;#x22;" />

value is escaped due to the bug introduced in a462ba2

However, the real issue is that Phalcon\Tag::getValue() only escapes the value when it is set either by setDefault() or is present in $_POST; if the value was specified in $params array it is NOT escaped by getValue() regardless of _autoEscape.

In the second case I would expect to see

<input type="text" value="&amp;amp;&amp;quot;" name="name" id="name" />
@ghost
Copy link
Author

ghost commented Sep 21, 2013

Currently getValue()'s logic is as follows:

function getValue($name, array $params)
{
    if (isset(self::$_displayValues[$name])) {
        $value = self::$_displayValues[$name]
    }
    else if (isset($_POST[$name])) {
        $value = $_POST[$name];
    }
    else {
        return null;
    }

    //...
}

I suggest that we check the value in the following order:

  1. $params[$name]
  2. self::$_displayValues[$name]
  3. $_POST[$name]

In this scenario we will always honor autoEscape mode.

@phalcon
Copy link
Collaborator

phalcon commented Sep 21, 2013

Yes, when $params[$name] is set getValue is never called so the order is the same. This is ok, are you going to remove the escaping in getValue()?

This was referenced Sep 22, 2013
Merged
Merged
@ghost
Copy link
Author

ghost commented Sep 22, 2013

Changes:

  • attributes are escaped only if autoescape is true
  • getValue() checks first $params, then $_displayValues, then $_POST
  • there is a dedicated function that escapes attributes;
  • getValue() does not escape anything anymore

phalcon pushed a commit that referenced this issue Sep 23, 2013
Merge pull request #1270 from sjinks/1.2.4
d503b6f 
[1.2.4] Fix #1263
phalcon pushed a commit that referenced this issue Sep 23, 2013
Merge pull request #1271 from sjinks/issue-1263
731f242 
[1.3.0] Fix #1263
@ghost ghost closed this as completed Sep 24, 2013
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants