Moodle

You also must not use these characters: & (ampersand), ' (single quote).
Creating such fields within the web interface work without problems, exporting the resulting preset.zip works, too, however, re-imprting the .zip will fail!

So, for the moment take much care not to use any "forbidden" characters in the fields' names, descriptions or options.

The key here, if I'm not wrong is that we should be using htmlspecialchars() when exporting data to XML, instead of the full (and buggy) htmlentities().

Moving this to DC... can you please test the generated preset with some "strange" characters both with htmlentities() (current behaviour) and htmlspecialchars() (proposed behaviour).

Also, you'll need to test of that preset using htmlspecialchars() to check that "strange" characters are also imported properly.

I would suggest you to post here your research results before committing anything, just to decide if the proposed htmlspecialchars() is the correct one (I hope yes).

TIA and ciao

The differences between htmlspecialchars and htmlentities can be found in php.net:

http://au2.php.net/manual/en/function.htmlentities.php
http://au2.php.net/manual/en/function.htmlspecialchars.php

I think we should filter single and double quote here, so I used ENT_QUOTES parameter here. I test umlauts and Chinese characters in mod/data, it is alright now.

Dongsheng, since you have closed this bug, I am wondering where your fix is available. Could you please attach the patch here?

Sorry, I forgot to attach the patch. You can find the changes here: http://cvs.moodle.org/moodle/mod/data/lib.php?r1=1.147&r2=1.148

Thank you, now I see. So the fix was committed into the HEAD branch. Will it also be available in MOODLE_19_STABLE?

Yes, it is available in MOODLE_19_STABLE branch

Very good news, thank you Dongsheng.

What about also committing the attached little beast (preset-import-menu.patch) which fixes the bug discussed at MDL-12439? I worked long to find out how to fix that and it works (maybe it just makes no change on PHP 5, but it solved the thing on PHP 4).

Sorry for posting the "preset-import-menu.patch" here - the bug fixed by that patch is MDL-9534 (which is open since one year).

Verified it's working here too. Closing.

Robert, what it I delete your patch from here and we continue working MDL-9534 and MDL-12439 in their respective places?

Really I need to re-read both... doing that now. Thanks!

Eloy, yes, please remove my attachment from here - the right place to discuss this issue should be MDL-9534. Thank you.

Deleted. Thanks Robert.

Unfortunately, this bug is not yet completely solved - please reopen.

What is still not possible is using single quotes within the description of fields (not tested at other places yet). At exporting the preset.zip, single quotes get replaced by "'" in the preset.xml - for example, there will be a field definition like this:

<field>
<type>text</type>
<name>Title of material</name>
<description>The material's title</description>
</field>

When trying to reimport that preset.zip, all fields containing this escaped single quote (or a true single quote character) will NOT import

As I mentioned before, I used ENT_QUOTES argument to filter single and double quote in the field name(for security), now I realize single and double quote are very useful in the field name, so I should remove this argument, how do you think, Eloy?

Keep single and double quote in present.xml, Thanks Robert.

If I'm not wrong... XML data must be free, exclusively of these chars: < > & and they must be transformed by their corresponding entitied.

In the other side... XML attributes must be free of the chars above AND these chars: " '

Our XML doesn't use XML attributes at all, so it safe to use NOENT_QUOTES as you've done. Then, automatically, XML parsers, when reading that XML, will revert the entities to their original chars.

In fact, the problem with single quotes is that htmlspecialchars() doesn't encode it properly. It should be ' and not ' But that's not important here, as we aren't using XML attributes, as explained above.

I say all this because, for exampe, in backup, we use htmlspecialchars() without parameters. That means that apart of < > &, also " are being transformed to " and, when we restore those files they are transformed back to " automatically.

So:

1) Patch looks ok (although I guess that it's safe to, simply, don't use the 2nd parameter, like backups does).
2) Could you try some single quotes and double quotes using htmlspecialchars() without second parameter?

Ciao

Still does not work. Please re-re-open.

Now the difference to the previous attempt is that a single quote gets exported literally, however a single quote within a preset.xml's field description still fails to import, no matter if it is there literally (as ') or as entity (').

Grrr, this is the never ending bug! Thanks for testing Robert.

Oki, to fix this, definitively, Dongsheng, can you, please:

1) Use htmlspecialchars() without parameter at all.
2) Review where data is inserted to DB, I guess there is some missing addslashes() somewhere (I think I suggested this in another database activity bug recently, but obviously, it hasn't been fixed).
3) Test it works before commit.

TIA! B-)

Reopening.... as requested... thanks again!

About htmlspecialchars(), I remove the second parameter now, it worked, but the double quote will be changed to entity.

function get_settings() doesn't use addslashes(), that is the reason why you cannot import files with single quote.

fixed and tested.
Double quote and single quote can be included in preset.xml now, double quote will be changed to entity, single quote doesn't change, please review, feel free to open it if you find any problems. (I hope it works well )

Finally..... it W O R K S )

Thank you all.

hmm, the use of magic quotes is not optional at all in data mod
fortunaletly it will be gone in 2.0

Verified. Closing...

BTW, Petr... I don't get your latest comment... anything important? Feel free to reopen if so.

Ciao