php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #64137 XSLTProcessor::setParameter() should allow both quotes to be used
Submitted: 2013-02-02 20:12 UTC Modified: -
Votes:8
Avg. Score:4.4 ± 0.7
Reproduced:8 of 8 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: phpwnd at gmail dot com Assigned:
Status: Open Package: XSLT related
PHP Version: 5.4.11 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: phpwnd at gmail dot com
New email:
PHP Version: OS:

 

 [2013-02-02 20:12 UTC] phpwnd at gmail dot com
Description:
------------
XSLTProcessor::setParameter() does not currently allow values that contain both single quotes and double quotes. This appears to be intentional, as per php_xsl_xslt_string_to_xpathexpr() located in ext/xsl/xsltprocessor.c line 119.
(https://github.com/php/php-src/blob/master/ext/xsl/xsltprocessor.c#L119)

This shortcoming comes from the fact that XPath 1.0 does not provide a mechanism to escape characters, so PHP does not have a straightforward way to express a string that contains both types of quotes. XPath 1.0 does, however, provide a function to concatenate strings. Using concat(), a string composed of the two characters "' can be expressed as concat('"',"'"). concat() takes 2 or more arguments so as long as you alternate the quoting style, you can express a string containing any number of quotes of both types.

This is the proposed change: use XPath's concat() function to express strings that contain both types of quotes.

Test script:
---------------
<?php

$xml = new DOMDocument;
$xml->loadXML('<X/>');

$xsl = new DOMDocument;
$xsl->loadXML('<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text"/><xsl:param name="foo"/><xsl:template match="/"><xsl:value-of select="$foo"/></xsl:template></xsl:stylesheet>');

$xslt = new XSLTProcessor;
$xslt->importStylesheet($xsl);
$xslt->setParameter('', 'foo', "\"'");

echo $xslt->transformToXml($xml);

Expected result:
----------------
"'

Actual result:
--------------
PHP Warning:  XSLTProcessor::transformToXml(): Cannot create XPath expression (string contains both quote and double-quotes) in %s on line %d

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 16:01:24 2019 UTC