Description: ------------ I found a case in which XML produced by XML_Serializer seems to be invalid, as per: http://www.w3.org/TR/2006/REC-xml-20060816/#syntax The ampersand character (&) and the left angle bracket (<) must not appear in their literal form Test script: --------------- http://pastebin.ca/1305247 Expected result: ---------------- <?xml version="1.0" encoding="UTF-8"?> <FooTag attr1="I say: "A", B & C, &apos;d&apos;!"> <tag1 attr1="I say: "A", B & C, &apos;d&apos;!"> <tag2>I say: "A", B & C, &apos;d&apos;!</tag2> </tag1> <tag3 attr1="I say: "A", B & C, &apos;d&apos;!">I say: "A", B & C, &apos;d&apos;!</tag3> </FooTag> Actual result: -------------- <?xml version="1.0" encoding="UTF-8"?> <FooTag attr1="I say: "A", B & C, 'd'!"> <tag1 attr1="I say: "A", B & C, 'd'!"> <tag2>I say: "A", B & C, &apos;d&apos;!</tag2> </tag1> <tag3 attr1="I say: "A", B & C, &apos;d&apos;!">I say: "A", B & C, &apos;d&apos;!</tag3> </FooTag>

confirmed, php version 4.4.9

I just ran across this today and patched the version we are using. All I did was change line 832 in Serializer.php to: $atts[$this->options[XML_SERIALIZER_OPTION_ATTRIBUTE_KEY]] = XML_Util::replaceEntities($origKey, $this->options[XML_SERIALIZER_OPTION_ENTITIES]); There's a chance that's not the complete, proper solution, but it does the trick for me. Probably needs to be done in the Unserializer.php, too, but I didn't care about that.

Copied test script <?php require_once('XML/Serializer.php'); define('XML_ATTR', 'XML_Attributes_Array'); $options = array( XML_SERIALIZER_OPTION_INDENT => ' ', XML_SERIALIZER_OPTION_LINEBREAKS => "\n", XML_SERIALIZER_OPTION_ROOT_NAME => 'FooTag', XML_SERIALIZER_OPTION_MODE => XML_SERIALIZER_MODE_SIMPLEXML, XML_SERIALIZER_OPTION_ATTRIBUTES_KEY => XML_ATTR, XML_SERIALIZER_OPTION_XML_ENCODING => 'UTF-8', XML_SERIALIZER_OPTION_XML_DECL_ENABLED => true, XML_SERIALIZER_OPTION_ENTITIES => XML_SERIALIZER_ENTITIES_XML, ); $v = 'I say: "A", B & C, \'d\'!'; $a = array('attr1' => $v); $xml = array( XML_ATTR => $a, 'tag1' => array(XML_ATTR => $a, 'tag2' => $v), 'tag3' => array(XML_ATTR => $a, $v), ); $serializer = new XML_Serializer($options); $serializer->serialize($xml); echo $serializer->getSerializedData();

The provided test case performs as described, with me testing XML_Serializer-0.19.1 on PHP 5.2.6 on Ubuntu-8.10. The attached patch (with missing brackets added) makes the test work, without breaking any existing tests. Change committed to CVS, and test case added.

This fix not working in PHP 4.x. Check errors

Hi, with XML_Serializer-0.20.2 I get double encoded entities in some attributes when running: phpunit tests/bug-15602.phpt The bug tracker mangles the output here, decoding the entities... but the output is somethat like this. $ phpunit tests/bug-15602.phpt PHPUnit 5.2.10 by Sebastian Bergmann and contributors. F 1 / 1 (100%) Time: 118 ms, Memory: 2.00Mb There was 1 failure: 1) tests/bug-15602.phpt Failed asserting that two strings are equal. --- Expected +++ Actual @@ @@ '<?xml version="1.0" encoding="UTF-8"?> -<FooTag attr1="I say: "A", B & C, &apos;d&apos;!"> - <tag1 attr1="I say: "A", B & C, &apos;d&apos;!"> +<FooTag attr1="I say: "A", B & C, &apos;d&apos;!"> + <tag1 attr1="I say: "A", B & C, &apos;d&apos;!"> <tag2>I say: "A", B & C, &apos;d&apos;!</tag2> </tag1> <tag3 attr1="I say: "A", B & C, &apos;d&apos;!">I say: "A", B & C, &apos;d&apos;!</tag3> </FooTag>' FAILURES! Tests: 1, Assertions: 1, Failures: 1. The issue goes away if I remove the code at line 1215 in XML_Serializer.php, in function _createXMLTag(), but I ma not sure if this is the correct fix. diff --git a/XML_Serializer-0.20.2/XML/Serializer.php b/XML_Serializer-0.20.2/XML/Serializer.php index a757d4b..06eea51 100644 --- a/XML_Serializer-0.20.2/XML/Serializer.php +++ b/XML_Serializer-0.20.2/XML/Serializer.php @@ -598,7 +598,7 @@ class XML_Serializer extends PEAR * * @access public */ - function XML_Serializer( $options = null ) + function __construct( $options = null ) { $this->PEAR(); if (is_array($options)) { @@ -1209,15 +1209,6 @@ $tag['content'] = '0'; // this is a nested call, so value is already encoded // and must not be encoded again $replaceEntities = XML_SERIALIZER_ENTITIES_NONE; - // but attributes need to be encoded anyways - // (done here because the rest of the code assumes the same encoding - // can be used both for attributes and content) - foreach ($tag['attributes'] as $k => $v) { - $v = XML_Util::replaceEntities($v, - $this->options[XML_SERIALIZER_OPTION_ENTITIES]); - - $tag['attributes'][$k] = $v; - } } if (is_scalar($tag['content']) || is_null($tag['content'])) { if ($this->options[XML_SERIALIZER_OPTION_ENCODE_FUNC]) { Can anyone confirm the issue and the fix? Thanks, Antonio

@ao2: I also think the removal is correct and fixed it the same way in git.