CMS MADE SIMPLE FORGE

Form Builder

 
Back Back to List

[#3154] & is replaced with &

avatar
Created By: Simon Pieters (zcorpan)
Date Submitted: Thu Mar 12 15:27:28 -0400 2009

Assigned To: Ryan Foster (RytoEX)
Version: 0.5.11
CMSMS Version: None
Severity: None
Resolution: Accepted
State: Closed
Summary:
& is replaced with &
Detailed Description:
1. Create a form
2. Write out the contents of a field in the "next" page, like <p>Thanks,
{$name|escape}</p>
3. Write the text "& &amp; &amp;amp;" in the field, submit

expected results
Should see the text "Thanks, & &amp; &amp;amp;"

actual results
The text "& & &amp;"

i.e. to Smarty there's no difference between the input "&" and the input
"&amp;", and this is dataloss.


History

Comments
avatar 
Date: 2010-09-07 02:42
Posted By: Ryan Foster (RytoEX)

Actually, if you check the HTML source of the page (or the HTML source of the
data that gets stored in FormBrowser) you'll see:

&amp; &amp; &amp;amp;

Certain characters will be transformed into HTML entities (& to &amp;, < to
&lt;, etc.) for security reasons (to reduce/remove the possibility of SQL
injections and the like).  This probably won't be changed.

The reason you see "& & &amp;" is due to the way that browsers render HTML
entities, similar to how "&lt;" will display a "<".  This is not actual data
loss.  For these reasons, I'm marking this bug as "Won't Fix".  I'm sorry that I
couldn't be more helpful in this matter.

As a side note, the only way I can think of to display HTML entities without
rendering them as their corresponding characters would be to use the deprecated
XMP tag.  Of course, then you would see "&amp; &amp; &amp;amp;", and your
document would not validate because XMP is deprecated.
avatar 
Date: 2010-11-24 06:30
Posted By: Ryan Foster (RytoEX)

Changing Resolution from "Won't Fix" to "None" for now.  I do want to look into
this a bit further before making a decision.
avatar 
Date: 2010-12-05 00:18
Posted By: Ryan Foster (RytoEX)

Trying to get a bit more information here.

Is the expected result to display the same thing as the user typed specifically
by using the escape modifier (|escape) or without it?

Should the stored result also reflect exactly what the user typed?
avatar 
Date: 2010-12-06 05:02
Posted By: Simon Pieters (zcorpan)

>Is the expected result to display the same thing as the user typed specifically
by using the escape modifier (|escape) or without it?

I don't recall if the bug was with |escape or somewhere else.

If you output to text/plain, then the rendered output should match the user
input without |escape.

If you output to text/html, then the rendered output should match the user input
with |escape.

> Should the stored result also reflect exactly what the user typed?

I guess that's a good idea, yes.
avatar 
Date: 2010-12-06 16:21
Posted By: Tapio Löytty (Stikki)

Yo all!

Talked with SjG today and we are fixing this issue to next release.

without |escape modifier it will return text as it was written. with |escape it
will alter it, like it should.

Best regards

-Stikki-
avatar 
Date: 2011-10-24 14:19
Posted By: Tapio Löytty (Stikki)

Closing any older than 0.7 Bug reports.

If this problem still occurs in 0.7.1 release, please fill new bug report.

Best regards

-Stikki-
Updates

Updated: 2011-10-24 14:19
cmsms_version_id: => -1
state: Open => Closed

Updated: 2010-12-06 16:21
resolution_id: 5 => 6

Updated: 2010-11-24 06:30
resolution_id: 8 => 5

Updated: 2010-09-07 02:42
resolution_id: => 8
assigned_to_id: 100 => 13490