cannot use inches in product name (vm3.4.0 / XSS)

[stAn99]

we are using multi language site and when we store a product with double quotes commonly used for inch display the product is not properly shown when entered second time from product list.

how to reproduce:
- as super administrator...
- create and save a product "zz & 5" test sk"
- save it and visit product listing in backend
- click the product name
- you'll see only "zz & 5" there instead of full product name

rendred html includes XSS problem:

Code Select Expand


<input class="required inputbox" type="text" name="product_name" id="product_name" value="zz3 & zz 3" test" size="32" maxlength="255" />


i don't normally submit security issues into forum, but i was asked by VM team leader to post this here...

best regards, stan

[jjk]

Entering 2 single quotes instead of the double quote should work. There are differences related to country-specific keyboard layouts, languages and operating systems. (I'm not sure if our non-American keyboards enter the same type of double quote as the U.S. and U.K. keyboards.)
Update:
Maybe not the best idea, because 2 single quotes look like the (inch) double quotes, but in the generated source code it will become zz & 5"[/i]

Probably similar to the Apostrophe problem discussed here: http://forum.virtuemart.net/index.php?topic=140498.msg493952#msg493952

[Milbo]

It is allowed, because you can do it as far as I know only as super administrator.

[Studio 42]

I already explained in another post. You have to use this code :
htmlentities($str, ENT_QUOTES, "UTF-8");

$str is $this->product->product_name in your case
<?php echo htmlentities($this->product->product_name, ENT_QUOTES, "UTF-8"); ?>
IF you are sure the input use double quotes, then ENT_COMPAT is only needed to convert double quote

See http://php.net/manual/fr/function.htmlentities.php for all informations, i hope a day that a dev change this code for all inputs.