VirtueMart Forum

VirtueMart 2 + 3 => Virtuemart Development and bug reports => Topic started by: d0ublezer0 on September 15, 2017, 14:16:13 pm

Title: Quotation mark in category name
Post by: d0ublezer0 on September 15, 2017, 14:16:13 pm
vm 3.2.4
j3.7.5
Disappear when saved and then opened:

create category
Category with "Quotes"
save it
open it
you will see that your category name will be as:
Category with
Title: Re: Quotation mark in category name
Post by: Studio 42 on September 17, 2017, 01:39:58 am
Same for Product(i corrected it for a customer), but i don't report anymore such bugs because i don't want to do sned patch only for 1 line.
Title: Re: Quotation mark in category name
Post by: d0ublezer0 on May 13, 2018, 17:09:06 pm
VM3.2.12 problem is still here
Title: Re: Quotation mark in category name
Post by: Studio 42 on May 13, 2018, 20:57:04 pm
This is the fix i use for products
File is JOOMLAROOT/administrator/components/com_virtuemart/views/product/tmpl/product_edit_information.php
Code: [Select]
<input class="required inputbox" type="text" name="product_name" id="product_name" value="<?php echo htmlentities($this->product->product_nameENT_QUOTES"UTF-8"); ?>" size="32" maxlength="400" />This is the code to use in any input(not textarea) to support quotes
Code: [Select]
htmlentities($yourValue, ENT_QUOTES, "UTF-8");
Title: Re: Quotation mark in category name
Post by: d0ublezer0 on August 03, 2018, 11:11:40 am
Well, so maybe the developers will include this correction in the working project?
Title: Re: Quotation mark in category name
Post by: Studio 42 on August 03, 2018, 14:49:46 pm
Hum, they have modifed something, but not really cool, encoding all in the DB.
So for your quotes in last VM Beta, you have now the specialchar encoded in the field.
This solve in some case the diiplay problem, but using any fields in a email send as plain text display the encoded chars.
Another problem with the new solution. Is when you use an import tools, you have to encode all.
I have to modfiy my import tool and certainly CSVI too. So not really cool, especially when you work direcly sometime in the database. Eg expporting data as CSV to work on Excel and other drawback...
Title: Re: Quotation mark in category name
Post by: d0ublezer0 on August 03, 2018, 19:02:58 pm
Yes, that is right.
but the real solution is very simple and obvious. why not add it? escaping strings is the golden rule of working with forms, I remember it since 1999, when I started programming.
Title: Re: Quotation mark in category name
Post by: Studio 42 on August 03, 2018, 21:30:30 pm
@d0ublezer0, i verified about Joomla $db->insertObject the save way to add records in the DB.
The only they do is use  $db->quote($vallue);
db->quote without 2nd parameter escape the string, so in the DB all are right inserted(you have no backslash in the table).
I tried allready to inject queries inside on insert or update, this get never executed, only in very old servers, you can have the problem, but then not only for mysql queries. So i really dont understand why they have added encoding, the problem was not on insert in the field, but on display only.
Because an input need to have double quotes, you have to use htmlentities($str,ENT_QUOTES,'UTF-8'). 
Note that since  PHP 5.6 ihtmlentities use always UTF-8, but Joomla 4 want only php7 support, so this UTF-8 is only for compatibility and is obsolete for Joomla 4.
Title: Re: Quotation mark in category name
Post by: d0ublezer0 on September 14, 2018, 13:11:26 pm
An alternative solution that suited for me:
copy administration template file into the
Code: [Select]
\administrator\templates\isis\html\com_virtuemart\category\edit_categoryform.phpand make the necessary changes in it.

Yes, this is also a hack.
But it will not be automatically lost when upgraded, if you suddenly forget to make a copy of your changes.
Title: Re: Quotation mark in category name
Post by: Milbo on September 17, 2018, 08:33:24 am
I tried allready to inject queries inside on insert or update, this get never executed, only in very old servers, you can have the problem, but then not only for mysql queries. So i really dont understand why they have added encoding, the problem was not on insert in the field, but on display only.
Because an input need to have double quotes, you have to use htmlentities($str,ENT_QUOTES,'UTF-8'). 
Note that since  PHP 5.6 ihtmlentities use always UTF-8, but Joomla 4 want only php7 support, so this UTF-8 is only for compatibility and is obsolete for Joomla 4.

Time to think about removing it. But next release, not for vm3.4