News:

Looking for documentation? Take a look on our wiki

Main Menu

Bug in html/shop.parameter_search_form.php

Started by doorknob, October 01, 2008, 02:46:50 AM

Previous topic - Next topic

doorknob

The parameter values are captured and stored without conversion of special html characters (this is necessary because ; is used as a separator).
When the parameters are used to populate controls in the form, there is still no conversion of special characters. I fixed this by changing the code as follows:
Please note that my code also fixes another compliance error that was reported earlier
Lines 168-170
foreach($fields as $field) {
$attr .= "<option value=\"$field\"".(($selected_value[$field]==1) ? " selected>" : ">"). $field."</option>\n";
}

changed to
foreach($fields as $field) {
$html_field = htmlspecialchars( $field );
$attr .= "<option value=\"$html_field\"".(($selected_value[$field]==1) ? " selected=\"selected\">" : ">"). $html_field."</option>\n";
}


and lines 175-177
foreach($fields as $field) {
$attr .= "<option value=\"$field\"".(($get_item_value==$field) ? " selected>" : ">"). $field."</option>\n";
}

changed to
foreach($fields as $field) {
$html_field = htmlspecialchars( $field );
$attr .= "<option value=\"$html_field\"".(($get_item_value==$field) ? " selected=\"selected\">" : ">"). $html_field."</option>\n";
}


Regards
Phil