Fix for issue 12127: Single quotation marks are now decoded properly in admin attribute option input fields #12133
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…in admin attribute option input fields.
|
|
magento-engcom-team
added
Reproduced on 2.1.x
|
Verified PR does not introduce XSS vulnerability in admin area, product view, compare products, shopping cart, and checkout. |
okorshenko
pushed a commit
that referenced
this pull request
Nov 28, 2017
…coded properly in admin attribute option input fields #12133
magento-engcom-team
added
the
Fixed in 2.2.x
|
I am still getting same issue in magento 2.2.5 version .
|
|
That doesn't look like the same issue; op was about attribute options edit
page.
…On Tue, Jul 10, 2018, 14:46 wclansar ***@***.***> wrote:
I am still getting same issue in magento 2.2.5 version .
[image: options]
<https://user-images.githubusercontent.com/10025094/42493547-103ac5fa-843b-11e8-9b75-d279d673ca95.png>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#12133 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA4ypsF9n53VRqwaOI61sV0rRI6343T7ks5uFE3igaJpZM4QXmfp>
.
|
|
i am at product edit page in admin and drop down attribute showing me that text instead of Apostrophe. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Single quotation marks are now decoded properly in admin attribute option input fields.
It sort of feels like this is a workaround though. I think the right fix would be to not escape the output by PHP in the first place, and let Underscore's templating engine handle the escaping.
As it stands now, the attribute option value is first escaped in
Magento\Eav\Block\Adminhtml\Attribute\Edit\Options\Options::_prepareUserDefinedAttributeOptionValues, and then it's decoded (improperly) inapp/code/Magento/Catalog/view/adminhtml/templates/catalog/product/attribute/options.phtml::91, and then it's escaped again by the Underscore templating engine:<%- %>.The problem is that the first escapes includes single quotes, but the decode doesn't (which I've added in this PR). So, I've fixed the bad decode, but why the first encode/decode is happening, I'm not sure.
Fixed Issues
Fixes issue #12127.
Manual testing scenarios
Result
Nature's Way Supplements, instead ofNature's Way Supplements.eav_attribute_option_value) correctly storesNature's Way Supplements, instead ofNature's Way Supplements.