Announcement

Symphony's issue tracker has been moved to Github.

Issues are displayed here for reference only and cannot be created or edited.

Browse

Closed#386: Sanitation issue with params swimming in the pool

There has been a discussion about problems with Apostrophes in page titles. It turned out that there is a Symphony sanitation issue with params from the param pool.

Some additional observations:

  • The param will be displayed correctly on the debug page.
  • Using Nick Dunn’s Param Pool to XML the page title will be written to the page XML correctly (i.e. non-encoded).
  • As far as I see, the “double-encoding” happens for Apostrophes only. Other characters (like <) get single-encoded (which might be superflous, but not dangerous).
  • The bug occurs in 2.0.8RC3 and 2.1, so it’s not brand-new.

Can you please provide specific information on how this can be reproduced. Need to make sure I am on the same page, so to speak.

I have spoken with Alistair and relayed the issue. This is unfortunately an issue core to the XSLT processor and the only solution is to offer parameter values in the XML. This has been the direction of Symphony (with v3) so it’s just a matter of back-porting the feature (patch in Nick’s extension to the core).

We plan to add this for v2.2.

Really good to hear that, thanks for the update!

We decided that params would be rendered in the page XML from 2.2 onwards, since this is the approach S3 is taking.

The param pool still exists, but will eventually be considered deprecated, instead XPath to the param XML is preferred.

http://github.com/nickdunn/symphony-2/commit/e2e450c9d44e574b850edfeb6a6977cd391d7dcf

This issue is closed.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.3
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details