php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #64137 XSLTProcessor::setParameter() should allow both quotes to be used
Submitted: 2013-02-02 20:12 UTC Modified: -
Votes:7
Avg. Score:4.4 ± 0.7
Reproduced:7 of 7 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: phpwnd at gmail dot com Assigned:
Status: Open Package: XSLT related
PHP Version: 5.4.11 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-02-02 20:12 UTC] phpwnd at gmail dot com
Description:
------------
XSLTProcessor::setParameter() does not currently allow values that contain both single quotes and double quotes. This appears to be intentional, as per php_xsl_xslt_string_to_xpathexpr() located in ext/xsl/xsltprocessor.c line 119.
(https://github.com/php/php-src/blob/master/ext/xsl/xsltprocessor.c#L119)

This shortcoming comes from the fact that XPath 1.0 does not provide a mechanism to escape characters, so PHP does not have a straightforward way to express a string that contains both types of quotes. XPath 1.0 does, however, provide a function to concatenate strings. Using concat(), a string composed of the two characters "' can be expressed as concat('"',"'"). concat() takes 2 or more arguments so as long as you alternate the quoting style, you can express a string containing any number of quotes of both types.

This is the proposed change: use XPath's concat() function to express strings that contain both types of quotes.

Test script:
---------------
<?php

$xml = new DOMDocument;
$xml->loadXML('<X/>');

$xsl = new DOMDocument;
$xsl->loadXML('<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text"/><xsl:param name="foo"/><xsl:template match="/"><xsl:value-of select="$foo"/></xsl:template></xsl:stylesheet>');

$xslt = new XSLTProcessor;
$xslt->importStylesheet($xsl);
$xslt->setParameter('', 'foo', "\"'");

echo $xslt->transformToXml($xml);

Expected result:
----------------
"'

Actual result:
--------------
PHP Warning:  XSLTProcessor::transformToXml(): Cannot create XPath expression (string contains both quote and double-quotes) in %s on line %d

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Sep 15 18:01:27 2019 UTC