PhpGedView / Patches / #568 Escape double quotes in config text in editconfig

#568 Escape double quotes in config text in editconfig_gedcom.php

Milestone: Applies to Normal and mySQL

Status: open

Owner: nobody

Labels: Functionality Improvement (156)

Priority: 5

Updated: 2010-05-28

Created: 2010-05-28

Creator: ggpauly

Private: No

Double quotes can be entered into config values of gedcom config files.

This renders PGV inoperable, with an error msg pointing to editconfig_gedcom.php.

This patch escapes double quotes in a few of the gedcom config values, both allowing the use of double quotes and preventing crashes.

diff:

231a232,240
>
>
> function escape_qq($str) {
>
> return str_replace('"','\"',$str);
>
> }
>
>
300,301c309,310
< $configtext = preg_replace('/\$COMMON_NAMES_ADD\s*=\s*".*";/', "\$COMMON_NAMES_ADD = \"".$_POST["NEW_COMMON_NAMES_ADD"]."\";", $configtext);
< $configtext = preg_replace('/\$COMMON_NAMES_REMOVE\s*=\s*".*";/', "\$COMMON_NAMES_REMOVE = \"".$_POST["NEW_COMMON_NAMES_REMOVE"]."\";", $configtext);
---
> $configtext = preg_replace('/\$COMMON_NAMES_ADD\s*=\s*".*";/', "\$COMMON_NAMES_ADD = \"".escape_qq($_POST["NEW_COMMON_NAMES_ADD"])."\";", $configtext);
> $configtext = preg_replace('/\$COMMON_NAMES_REMOVE\s*=\s*".*";/', "\$COMMON_NAMES_REMOVE = \"".escape_qq($_POST["NEW_COMMON_NAMES_REMOVE"])."\";", $configtext);
327c336
< $configtext = preg_replace('/\$HOME_SITE_TEXT\s*=\s*".*";/', "\$HOME_SITE_TEXT = \"".$_POST["NEW_HOME_SITE_TEXT"]."\";", $configtext);
---
> $configtext = preg_replace('/\$HOME_SITE_TEXT\s*=\s*".*";/', "\$HOME_SITE_TEXT = \"".escape_qq($_POST["NEW_HOME_SITE_TEXT"])."\";", $configtext);
351c360
< $configtext = preg_replace('/\$META_TITLE\s*=\s*".*";/', "\$META_TITLE = \"".$_POST["NEW_META_TITLE"]."\";", $configtext);
---
> $configtext = preg_replace('/\$META_TITLE\s*=\s*".*";/', "\$META_TITLE = \"".escape_qq($_POST["NEW_META_TITLE"])."\";", $configtext);
422c431
< $configtext = preg_replace('/\$WELCOME_TEXT_AUTH_MODE_4\s*=\s*".*";/', "\$WELCOME_TEXT_AUTH_MODE_4 = \"".$_POST["NEW_WELCOME_TEXT_AUTH_MODE_4"]."\";", $configtext);// new
---
> $configtext = preg_replace('/\$WELCOME_TEXT_AUTH_MODE_4\s*=\s*".*";/', "\$WELCOME_TEXT_AUTH_MODE_4 = \"".escape_qq($_POST["NEW_WELCOME_TEXT_AUTH_MODE_4"])."\";", $configtext);// new

There is no known good workaround for this, except avoid the use of double quotes. Manually escaping double quotes requires repeating the manula escape every time the config file is updated.

Patch is based on build 6964 downloaded 24 May 2010.

Patch tested in Firefox 3.0.19

Patched file attached.

Discussion

ggpauly - 2010-05-28

patched editconfig_gedcom.php

editconfig_gedcom.php

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Escape double quotes in config text in editconfig_gedcom.php

Group

Searches

Help

#568 Escape double quotes in config text in editconfig_gedcom.php

Discussion