Bug #66616
closed
Double encoding in tag builder
0%
Description
The tag builder uses htmlspecialchars to encode values of attributes. The problem is, that if I give in a value from the database containing " it will be double html encoded because htmlspecialchars just called without some parameters.
My suggestion would be
htmlspecialchars($attributeValue, ENT_QUOTES, 'UTF-8', FALSE);
Updated by Dirk Jüttner over 9 years ago
Need feedback. Its not reproducible, not in 6.2 and not in 7.3.
The default of htmlspecialchars is like htmlspecialchars('',ENT_COMPAT), but without double html encoded.
" becomes "
but not "
Updated by Jan Kiesewetter over 9 years ago
Steps to reproduce:
A RTE field for the description, a quotation mark will be saved htmlencoded to the database.
Output image with:
<f:image image="{image}" alt="{rtefield -> f:format.stripeTags()}" />
Result.
The alt attribute of the output will be double Url encoded.
Maybe this is an edge case but if the value is encoded in the database it will be double encoded.
Of course I can additional use the HtmlentitiesDecodeViewHelper in addition {rtefield -> f:format.stripeTags() -> f:format.htmlentitiesDecode()} but with multiple fields and attributes this is a mess.
Therefore my suggestion to do this on the tagbuilder itself.
Updated by Riccardo De Contardi over 8 years ago
- Status changed from New to Needs Feedback
Hi and sorry for my late answer.
I tried with the latest master (8.0-dev) to do the following:
1) add a text with media (FSC) element with an image
2) write in the alt field the following line:
this is a "strange" alt 'quoted' text
3) result: the HTML code in output is:
<img alt="this is a "strange" alt 'quoted' text"...
Can this be considered correct for you?
Updated by Riccardo De Contardi over 8 years ago
- Status changed from Needs Feedback to Closed
No feedback within the last 90 days => closing this ticket.
If you think that this is the wrong decision or a different test should be done, or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.