Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 0.21.0

Bug #15602 attributes don't get escaped sometimes
Submitted: 2009-01-10 18:01 UTC
From: lapo Assigned: ashnazg
Status: Closed Package: XML_Serializer (version 0.19.1)
PHP Version: 5.2.8 OS:
Roadmaps: 0.19.2    
Subscription  


 [2009-01-10 18:01 UTC] lapo (Lapo Luchini)
Description: ------------ I found a case in which XML produced by XML_Serializer seems to be invalid, as per: http://www.w3.org/TR/2006/REC-xml-20060816/#syntax The ampersand character (&) and the left angle bracket (<) must not appear in their literal form Test script: --------------- http://pastebin.ca/1305247 Expected result: ---------------- <?xml version="1.0" encoding="UTF-8"?> <FooTag attr1="I say: "A", B & C, &apos;d&apos;!"> <tag1 attr1="I say: "A", B & C, &apos;d&apos;!"> <tag2>I say: "A", B & C, &apos;d&apos;!</tag2> </tag1> <tag3 attr1="I say: "A", B & C, &apos;d&apos;!">I say: "A", B & C, &apos;d&apos;!</tag3> </FooTag> Actual result: -------------- <?xml version="1.0" encoding="UTF-8"?> <FooTag attr1="I say: "A", B & C, 'd'!"> <tag1 attr1="I say: "A", B & C, 'd'!"> <tag2>I say: "A", B & C, &apos;d&apos;!</tag2> </tag1> <tag3 attr1="I say: "A", B & C, &apos;d&apos;!">I say: "A", B & C, &apos;d&apos;!</tag3> </FooTag>

Comments

 [2009-01-13 10:36 UTC] daniel226 (Daniel Jost)
confirmed, php version 4.4.9
 [2009-01-13 22:39 UTC] jesse (Jesse Dp)
I just ran across this today and patched the version we are using. All I did was change line 832 in Serializer.php to: $atts[$this->options[XML_SERIALIZER_OPTION_ATTRIBUTE_KEY]] = XML_Util::replaceEntities($origKey, $this->options[XML_SERIALIZER_OPTION_ENTITIES]); There's a chance that's not the complete, proper solution, but it does the trick for me. Probably needs to be done in the Unserializer.php, too, but I didn't care about that.
 [2009-01-15 14:35 UTC] doconnor (Daniel O'Connor)
Copied test script <?php require_once('XML/Serializer.php'); define('XML_ATTR', 'XML_Attributes_Array'); $options = array( XML_SERIALIZER_OPTION_INDENT => ' ', XML_SERIALIZER_OPTION_LINEBREAKS => "\n", XML_SERIALIZER_OPTION_ROOT_NAME => 'FooTag', XML_SERIALIZER_OPTION_MODE => XML_SERIALIZER_MODE_SIMPLEXML, XML_SERIALIZER_OPTION_ATTRIBUTES_KEY => XML_ATTR, XML_SERIALIZER_OPTION_XML_ENCODING => 'UTF-8', XML_SERIALIZER_OPTION_XML_DECL_ENABLED => true, XML_SERIALIZER_OPTION_ENTITIES => XML_SERIALIZER_ENTITIES_XML, ); $v = 'I say: "A", B & C, \'d\'!'; $a = array('attr1' => $v); $xml = array( XML_ATTR => $a, 'tag1' => array(XML_ATTR => $a, 'tag2' => $v), 'tag3' => array(XML_ATTR => $a, $v), ); $serializer = new XML_Serializer($options); $serializer->serialize($xml); echo $serializer->getSerializedData();
 [2009-01-25 04:09 UTC] ashnazg (Chuck Burgess)
The provided test case performs as described, with me testing XML_Serializer-0.19.1 on PHP 5.2.6 on Ubuntu-8.10. The attached patch (with missing brackets added) makes the test work, without breaking any existing tests. Change committed to CVS, and test case added.
 [2009-04-24 21:53 UTC] kovaltaras (Taras Koval)
This fix not working in PHP 4.x. Check errors
 [2016-03-22 17:24 UTC] ao2 (Antonio Ospite)
Hi, with XML_Serializer-0.20.2 I get double encoded entities in some attributes when running: phpunit tests/bug-15602.phpt The bug tracker mangles the output here, decoding the entities... but the output is somethat like this. $ phpunit tests/bug-15602.phpt PHPUnit 5.2.10 by Sebastian Bergmann and contributors. F 1 / 1 (100%) Time: 118 ms, Memory: 2.00Mb There was 1 failure: 1) tests/bug-15602.phpt Failed asserting that two strings are equal. --- Expected +++ Actual @@ @@ '<?xml version="1.0" encoding="UTF-8"?> -<FooTag attr1="I say: "A", B & C, &apos;d&apos;!"> - <tag1 attr1="I say: "A", B & C, &apos;d&apos;!"> +<FooTag attr1="I say: "A", B & C, &apos;d&apos;!"> + <tag1 attr1="I say: "A", B & C, &apos;d&apos;!"> <tag2>I say: "A", B & C, &apos;d&apos;!</tag2> </tag1> <tag3 attr1="I say: "A", B & C, &apos;d&apos;!">I say: "A", B & C, &apos;d&apos;!</tag3> </FooTag>' FAILURES! Tests: 1, Assertions: 1, Failures: 1. The issue goes away if I remove the code at line 1215 in XML_Serializer.php, in function _createXMLTag(), but I ma not sure if this is the correct fix. diff --git a/XML_Serializer-0.20.2/XML/Serializer.php b/XML_Serializer-0.20.2/XML/Serializer.php index a757d4b..06eea51 100644 --- a/XML_Serializer-0.20.2/XML/Serializer.php +++ b/XML_Serializer-0.20.2/XML/Serializer.php @@ -598,7 +598,7 @@ class XML_Serializer extends PEAR * * @access public */ - function XML_Serializer( $options = null ) + function __construct( $options = null ) { $this->PEAR(); if (is_array($options)) { @@ -1209,15 +1209,6 @@ $tag['content'] = '0'; // this is a nested call, so value is already encoded // and must not be encoded again $replaceEntities = XML_SERIALIZER_ENTITIES_NONE; - // but attributes need to be encoded anyways - // (done here because the rest of the code assumes the same encoding - // can be used both for attributes and content) - foreach ($tag['attributes'] as $k => $v) { - $v = XML_Util::replaceEntities($v, - $this->options[XML_SERIALIZER_OPTION_ENTITIES]); - - $tag['attributes'][$k] = $v; - } } if (is_scalar($tag['content']) || is_null($tag['content'])) { if ($this->options[XML_SERIALIZER_OPTION_ENCODE_FUNC]) { Can anyone confirm the issue and the fix? Thanks, Antonio
 [2016-07-04 20:18 UTC] cweiske (Christian Weiske)
@ao2: I also think the removal is correct and fixed it the same way in git.