0003767: Enumeration Custum fields with html-special chars get unselected on bug-update - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0003767	mantisbt	custom fields	public	2004-04-23 04:29	2010-12-17 04:40

Reporter	sowiso	Assigned To	grangeway
Priority	normal	Severity	trivial	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	0.18.2
Target Version	1.2.4	Fixed in Version	1.2.4

Summary	0003767: Enumeration Custum fields with html-special chars get unselected on bug-update
Description	if fore a project exists enumeration custom fields with possible values for example (foo\|foo & bar\|bar and) and 'foo & bar' was selected on bug reproting and you are going to update bug then 'foo & bar' is not selected any more. the problem is in core/custom_field_api.php in the function print_custom_filed_input. it occurs always, when the selected value contains characters which where quoted for html-output by the function string_attirbute. to fix the problem change the line: if( $t_custom_field_value == $t_option ) { into if( $t_custom_field_value == string_attribute( $t_option ) ) { sorry i have no development system so i cannot provide a patch file.
Tags	patch
Attached Files	bugfix_custom_fields.patch (1,179 bytes) From 59863b7f7eaec333b5c273b64cf19cc9b0d8153f Mon Sep 17 00:00:00 2001 From: Dominik Blunk <dominik@blunk.ch> Date: Wed, 22 Sep 2010 14:15:03 +0200 Subject: [PATCH] Fixed: Custom fields (lists) havent been correctly selected (bug_update) when content was containing html special chars --- core/cfdefs/cfdef_standard.php \| 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/core/cfdefs/cfdef_standard.php b/core/cfdefs/cfdef_standard.php index 5754592..34a2c62 100644 --- a/core/cfdefs/cfdef_standard.php +++ b/core/cfdefs/cfdef_standard.php @@ -247,7 +247,7 @@ function cfdef_input_list($p_field_def, $t_custom_field_value) { $t_selected_values = explode( '\|', $t_custom_field_value ); foreach( $t_values as $t_option ) { - if( in_array( $t_option, $t_selected_values, true ) ) { + if ( in_array( string_attribute ( $t_option ), $t_selected_values, true ) ) { echo '<option value="' . string_attribute( $t_option ) . '" selected="selected"> ' . string_display_line( $t_option ) . '</option>'; } else { echo '<option value="' . string_attribute( $t_option ) . '">' . string_display_line( $t_option ) . '</option>'; -- 1.7.0.2.msysgit.0 bugfix_custom_fields.patch (1,179 bytes)

sowiso 2004-04-23 04:40 reporter ~0005421 Last edited: 2004-04-23 04:41	alternate you can move the line $t_custom_field_value = string_attribute( $t_custom_field_value ); behind the line case CUSTOM_FIELD_TYPE_STRING: this might be more perfomant, cause string_attribute has only to be called once edited on: 04-23-04 04:41

BWillnus 2008-10-25 13:16 reporter ~0019685	Same as bug 8512 and 9600. Still not fixed in 1.1.2. This bug exists for years now...

dominik 2010-09-22 08:25 reporter ~0026841	Attached a bugfix for master-1.2.x

dhx 2010-10-22 08:08 reporter ~0027128	Thanks for the patch Dominik. This issue was actually a much larger problem that Paul (grangeway) fixed recently in the 1.3.x branch. I have backported the fix to 1.2.x and have confirmed that this issue is now resolved. Apologies for the delay!

MantisBT: master 89c9f85a 2010-09-21 17:58 grangeway Details Diff	Following XSS changes, don't double encode		Affected Issues 0003767
	mod - core/custom_field_api.php		Diff File
MantisBT: master-1.2.x 76c9a79e 2010-09-21 17:58 grangeway Committer: dhx Details Diff	Following XSS changes, don't double encode		Affected Issues 0003767
	mod - core/custom_field_api.php		Diff File