PHP :: Request #64137 :: XSLTProcessor::setParameter() should allow both quotes to be used

XSLTProcessor::setParameter() should allow both quotes to be used

Submitted:

2013-02-02 20:12 UTC

Modified:

2023-09-30 19:45 UTC

Votes:	9
Avg. Score:	4.2 ± 0.8
Reproduced:	9 of 9 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

phpwnd at gmail dot com

Assigned:

nielsdos (profile)

Status:

Closed

Package:

XSLT related

PHP Version:

5.4.11

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	phpwnd at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2013-02-02 20:12 UTC] phpwnd at gmail dot com

Description:
------------
XSLTProcessor::setParameter() does not currently allow values that contain both single quotes and double quotes. This appears to be intentional, as per php_xsl_xslt_string_to_xpathexpr() located in ext/xsl/xsltprocessor.c line 119.
(https://github.com/php/php-src/blob/master/ext/xsl/xsltprocessor.c#L119)

This shortcoming comes from the fact that XPath 1.0 does not provide a mechanism to escape characters, so PHP does not have a straightforward way to express a string that contains both types of quotes. XPath 1.0 does, however, provide a function to concatenate strings. Using concat(), a string composed of the two characters "' can be expressed as concat('"',"'"). concat() takes 2 or more arguments so as long as you alternate the quoting style, you can express a string containing any number of quotes of both types.

This is the proposed change: use XPath's concat() function to express strings that contain both types of quotes.

Test script:
---------------
<?php

$xml = new DOMDocument;
$xml->loadXML('<X/>');

$xsl = new DOMDocument;
$xsl->loadXML('<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text"/><xsl:param name="foo"/><xsl:template match="/"><xsl:value-of select="$foo"/></xsl:template></xsl:stylesheet>');

$xslt = new XSLTProcessor;
$xslt->importStylesheet($xsl);
$xslt->setParameter('', 'foo', "\"'");

echo $xslt->transformToXml($xml);

Expected result:
----------------
"'

Actual result:
--------------
PHP Warning:  XSLTProcessor::transformToXml(): Cannot create XPath expression (string contains both quote and double-quotes) in %s on line %d

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2023-09-30 13:35 UTC] nielsdos@php.net

-Status: Open +Status: Verified

[2023-09-30 19:45 UTC] nielsdos@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: nielsdos

[2023-09-30 19:45 UTC] nielsdos@php.net

The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.

Implemented in master.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC