php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #64137 XSLTProcessor::setParameter() should allow both quotes to be used
Submitted: 2013-02-02 20:12 UTC Modified: 2023-09-30 19:45 UTC
Votes:9
Avg. Score:4.2 ± 0.8
Reproduced:9 of 9 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: phpwnd at gmail dot com Assigned: nielsdos (profile)
Status: Closed Package: XSLT related
PHP Version: 5.4.11 OS:
Private report: No CVE-ID: None
 [2013-02-02 20:12 UTC] phpwnd at gmail dot com
Description:
------------
XSLTProcessor::setParameter() does not currently allow values that contain both single quotes and double quotes. This appears to be intentional, as per php_xsl_xslt_string_to_xpathexpr() located in ext/xsl/xsltprocessor.c line 119.
(https://github.com/php/php-src/blob/master/ext/xsl/xsltprocessor.c#L119)

This shortcoming comes from the fact that XPath 1.0 does not provide a mechanism to escape characters, so PHP does not have a straightforward way to express a string that contains both types of quotes. XPath 1.0 does, however, provide a function to concatenate strings. Using concat(), a string composed of the two characters "' can be expressed as concat('"',"'"). concat() takes 2 or more arguments so as long as you alternate the quoting style, you can express a string containing any number of quotes of both types.

This is the proposed change: use XPath's concat() function to express strings that contain both types of quotes.

Test script:
---------------
<?php

$xml = new DOMDocument;
$xml->loadXML('<X/>');

$xsl = new DOMDocument;
$xsl->loadXML('<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text"/><xsl:param name="foo"/><xsl:template match="/"><xsl:value-of select="$foo"/></xsl:template></xsl:stylesheet>');

$xslt = new XSLTProcessor;
$xslt->importStylesheet($xsl);
$xslt->setParameter('', 'foo', "\"'");

echo $xslt->transformToXml($xml);

Expected result:
----------------
"'

Actual result:
--------------
PHP Warning:  XSLTProcessor::transformToXml(): Cannot create XPath expression (string contains both quote and double-quotes) in %s on line %d

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-09-30 13:35 UTC] nielsdos@php.net
-Status: Open +Status: Verified
 [2023-09-30 19:45 UTC] nielsdos@php.net
-Status: Verified +Status: Closed -Assigned To: +Assigned To: nielsdos
 [2023-09-30 19:45 UTC] nielsdos@php.net
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.

Implemented in master.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 11:01:28 2024 UTC