So, for the moment take much care not to use any "forbidden" characters in the fields' names, descriptions or options.

Moving this to DC... can you please test the generated preset with some "strange" characters both with htmlentities() (current behaviour) and htmlspecialchars() (proposed behaviour).

Also, you'll need to test of that preset using htmlspecialchars() to check that "strange" characters are also imported properly.

I would suggest you to post here your research results before committing anything, just to decide if the proposed htmlspecialchars() is the correct one (I hope yes).

TIA and ciao

http://au2.php.net/manual/en/function.htmlentities.php
http://au2.php.net/manual/en/function.htmlspecialchars.php

I think we should filter single and double quote here, so I used ENT_QUOTES parameter here. I test umlauts and Chinese characters in mod/data, it is alright now.

What about also committing the attached little beast (preset-import-menu.patch) which fixes the bug discussed at MDL-12439? I worked long to find out how to fix that and it works (maybe it just makes no change on PHP 5, but it solved the thing on PHP 4).

Robert, what it I delete your patch from here and we continue working MDL-9534 and MDL-12439 in their respective places?

Really I need to re-read both... doing that now. Thanks!

What is still not possible is using single quotes within the description of fields (not tested at other places yet). At exporting the preset.zip, single quotes get replaced by "'" in the preset.xml - for example, there will be a field definition like this:

<field>
<type>text</type>
<name>Title of material</name>
<description>The material's title</description>
</field>

When trying to reimport that preset.zip, all fields containing this escaped single quote (or a true single quote character) will NOT import

In the other side... XML attributes must be free of the chars above AND these chars: " '

Our XML doesn't use XML attributes at all, so it safe to use NOENT_QUOTES as you've done. Then, automatically, XML parsers, when reading that XML, will revert the entities to their original chars.

In fact, the problem with single quotes is that htmlspecialchars() doesn't encode it properly. It should be ' and not ' But that's not important here, as we aren't using XML attributes, as explained above.

I say all this because, for exampe, in backup, we use htmlspecialchars() without parameters. That means that apart of < > &, also " are being transformed to " and, when we restore those files they are transformed back to " automatically.

So:

1) Patch looks ok (although I guess that it's safe to, simply, don't use the 2nd parameter, like backups does).
2) Could you try some single quotes and double quotes using htmlspecialchars() without second parameter?

Ciao

Now the difference to the previous attempt is that a single quote gets exported literally, however a single quote within a preset.xml's field description still fails to import, no matter if it is there literally (as ') or as entity (').

Oki, to fix this, definitively, Dongsheng, can you, please:

1) Use htmlspecialchars() without parameter at all.
2) Review where data is inserted to DB, I guess there is some missing addslashes() somewhere (I think I suggested this in another database activity bug recently, but obviously, it hasn't been fixed).
3) Test it works before commit.

TIA! B-)

function get_settings() doesn't use addslashes(), that is the reason why you cannot import files with single quote.

Thank you all.

BTW, Petr... I don't get your latest comment... anything important? Feel free to reopen if so.

Ciao