Home My Page Projects FusionForge
Summary Activity Forums Tracker Lists News SCM Files Mediawiki Hudson/Jenkins

[#687] Project name with html characters

Date:
2014-06-06 10:05
Priority:
3
State:
Closed
Submitted by:
Franck Villaume (nerville)
Assigned to:
Franck Villaume (nerville)
Target Release:
5.3.2
Found in Version:
5.3.1
Severity:
major
Resolution:
Accepted As Bug
Summary:
Project name with html characters

Detailed description
After this i got a error about projectObject is not a object.
This problem arose because i had project names in the database with & inside the name.
In common/include/Group.class.php there is a escaping of special chars with htmlspecialchars
. But this routine is buggy because it looks stupidly for characters and doesn't analyze if this already a escaped char :(
So i changed it in the way to first expand the name and then escape it:
function group_get_object_by_publicname($groupname) {
$res = db_query_params('SELECT * FROM groups WHERE lower(group_name) LIKE $1',
array(htmlspecialchars(html_entity_decode(strtolower($groupname)))));
return group_get_object(db_result($res, 0, 'group_id'), $res);
}

Extract from https://fusionforge.org/forum/message.php?msg_id=708&group_id=6
Message  ↓
Date: 2014-07-11 11:34
Sender: Franck Villaume

fix in commit: bc4069e756424cc54053032ee61e8bb3d9dc3978

Date: 2014-07-11 10:03
Sender: Franck Villaume

partial fix in commit: 8e4a670465afa417cfcdbbd16d1880705ced7e07

Date: 2014-07-11 09:50
Sender: Franck Villaume

enabling/disabling any tool using the tools admin tab in project does not work when project has html special char in group_name.

Field Old Value Date By
status_idOpen2014-07-11 11:34nerville
close_dateNone2014-07-11 11:34nerville
assigned_tonone2014-07-11 11:34nerville
Target ReleaseNone2014-07-11 11:34nerville
details After this i got a error about projectObject is not a object. This problem arose because i had project names in the database with & inside the name. In common/include/Group.class.php there is a escaping of special chars with htmlspecialchars . But this routine is buggy because it looks stupidly for characters and doesn't analyze if this already a escaped char :( So i changed it in the way to first expand the name and then escape it: function group_get_object_by_publicname($groupname) { $res = db_query_params('SELECT * FROM groups WHERE lower(group_name) LIKE $1', array(htmlspecialchars(html_entity_decode(strtolower($groupname))))); return group_get_object(db_result($res, 0, 'group_id'), $res); } Extract from https://fusionforge.org/forum/message.php?msg_id=708&group_id=62014-07-11 09:50nerville
Found in VersionNone2014-07-11 09:50nerville
SeverityNone2014-07-11 09:50nerville
ResolutionNone2014-07-11 09:50nerville