Author Topic: Bug in html/shop.parameter_search_form.php  (Read 2376 times)

doorknob

  • Jr. Member
  • **
  • Posts: 151
Bug in html/shop.parameter_search_form.php
« on: October 01, 2008, 02:46:50 am »
The parameter values are captured and stored without conversion of special html characters (this is necessary because ; is used as a separator).
When the parameters are used to populate controls in the form, there is still no conversion of special characters. I fixed this by changing the code as follows:
Please note that my code also fixes another compliance error that was reported earlier
Lines 168-170
Code: [Select]
foreach($fields as $field) {
$attr .= "<option value=\"$field\"".(($selected_value[$field]==1) ? " selected>" : ">"). $field."</option>\n";
}
changed to
Code: [Select]
foreach($fields as $field) {
$html_field = htmlspecialchars( $field );
$attr .= "<option value=\"$html_field\"".(($selected_value[$field]==1) ? " selected=\"selected\">" : ">"). $html_field."</option>\n";
}

and lines 175-177
Code: [Select]
foreach($fields as $field) {
$attr .= "<option value=\"$field\"".(($get_item_value==$field) ? " selected>" : ">"). $field."</option>\n";
}
changed to
Code: [Select]
foreach($fields as $field) {
$html_field = htmlspecialchars( $field );
$attr .= "<option value=\"$html_field\"".(($get_item_value==$field) ? " selected=\"selected\">" : ">"). $html_field."</option>\n";
}

Regards
Phil