Results 1 to 2 of 2
  1. 10 Jan 2015, 09:15 PM #1
    lat9's Avatar
    lat9
    lat9 is offline Administrator
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    13,911
    Plugin Contributions
    96

    Default functions_general.php: htmlspecialchars missing parameters?

    Zen Cart v1.5.4: /includes/functions/functions_general.php (function zen_db_output, line 970):
    Code:
    ////
  function zen_db_output($string) {
    return htmlspecialchars($string);
  }
    Is there a reason why this isn't coded as:
    Code:
    ////
  function zen_db_output($string) {
    return htmlspecialchars($string, ENT_COMPAT, CHARSET, TRUE);
  }
    Last edited by lat9; 10 Jan 2015 at 09:17 PM. Reason: Added last parameter to call
    My website
    Reply With Quote Reply With Quote
  2. 11 Jan 2015, 12:44 AM #2
    DrByte's Avatar
    DrByte
    DrByte is offline Sensei
    Join Date
    Jan 2004
    Posts
    66,444
    Plugin Contributions
    279

    Default Re: functions_general.php: htmlspecialchars missing parameters?

    I think that's an oversight in legacy code.

    And I'm pretty sure that all remaining references to zen_db_output() should actually be using zen_output_string_protected() instead.

    Further, I think a review of all direct calls to htmlspecialchars() should be done to replace them with zen_output_string_protected() also ... unless there's a specific reason not to.

    More for the to-do list! https://github.com/zencart/zencart/issues/270
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
    Reply With Quote Reply With Quote
 

 
« Previous Thread | Next Thread »

Similar Threads

  1. v138a PHP Warning: htmlspecialchars() (after enabling SSL)
    By gbdriver in forum General Questions
    Replies: 0
    Last Post: 1 Feb 2012, 05:38 PM
  2. htmlspecialchars() expects at most 3 parameters, 4 given
    By jewelsexports in forum General Questions
    Replies: 2
    Last Post: 10 Mar 2011, 04:00 PM
  3. Bugs in /admin/banner_manager.php and in functions_general.php ??
    By angeloio in forum Bug Reports
    Replies: 1
    Last Post: 11 Jul 2009, 07:11 PM
  4. PHP 5.20 | Catchable fatal error | queryFactoryResult | functions_general.php
    By SarahL in forum General Questions
    Replies: 2
    Last Post: 17 Aug 2007, 08:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

disjunctive-egg
Content and Graphics Copyright (c) 2003 - 2026 Zen Ventures, LLC - all rights reserved
Zen Cart® is a Registered Trademark of Zen Ventures, LLC