we are using multi language site and when we store a product with double quotes commonly used for inch display the product is not properly shown when entered second time from product list.
how to reproduce:
- as super administrator...
- create and save a product "zz & 5" test sk"
- save it and visit product listing in backend
- click the product name
- you'll see only "zz & 5" there instead of full product name
rendred html includes XSS problem:
<input class="required inputbox" type="text" name="product_name" id="product_name" value="zz3 & zz 3" test" size="32" maxlength="255" />
i don't normally submit security issues into forum, but i was asked by VM team leader to post this here...
best regards, stan
Entering 2 single quotes instead of the double quote should work. There are differences related to country-specific keyboard layouts, languages and operating systems. (I'm not sure if our non-American keyboards enter the same type of double quote as the U.S. and U.K. keyboards.)
Update:
Maybe not the best idea, because 2 single quotes look like the (inch) double quotes, but in the generated source code it will become zz & 5"[/i]
Probably similar to the Apostrophe problem discussed here: http://forum.virtuemart.net/index.php?topic=140498.msg493952#msg493952
It is allowed, because you can do it as far as I know only as super administrator.
I already explained in another post. You have to use this code :
htmlentities($str, ENT_QUOTES, "UTF-8");
$str is $this->product->product_name in your case
<?php echo htmlentities($this->product->product_name, ENT_QUOTES, "UTF-8"); ?>
IF you are sure the input use double quotes, then ENT_COMPAT is only needed to convert double quote
See http://php.net/manual/fr/function.htmlentities.php for all informations, i hope a day that a dev change this code for all inputs.