Double-quotes in metatag fields being converted to htrml entities

**Ryk** · 20 Jun 2016, 11:09 PM

Following notification by a client, we tested this on a vanilla 155a - Trustwave Security Report Patch has been included on the installation

When entering quote characters in metatag descriptions and titles, the symbol is converted from eg. " to " at the point of saving to the database, yet shows correctly at the point of preview.

(NB. The usage is to represent inches)

**DrByte** · 21 Jun 2016, 06:57 PM

Um ... You can't use double-quotes in metatags (when the field is bounded by double quotes already). You can't even "escape" them to make them allowed. The HTML spec doesn't allow nesting of quotes within quotes or double-quotes-within-double-quotes.

Zen Cart has always stripped double-quotes from all title/keyword/description metatags, upon output. So the fact that you're suddenly seeing the conversion to entities admin-side is a secondary observation.

While the HTML spec allows for <title> to contain quotes/doublequotes, you would need to change every place in the meta_tags.php module file where double-quotes are converted, as well as the html_header where the metatag is rendered, so that it is bounded with single quotes instead of double quotes ... despite the fact that double-quotes are the preferred punctuation generally speaking.

Only after you've made those significant changes would it make any sense to alter how the Admin handles sanitization of inputs regarding those characters. That said, we'll investigate the ramifications of allowing for the admin to bypass converting those to entities. (See the next post)

QUESTION:
Are you *really* wanting ALL three fields (title, description, keywords) to display "inches" symbol? Or is this really just related to setting a custom title?

**DrByte** · 21 Jun 2016, 07:27 PM

wilt has prepared an update to the admin side that will help bypass the conversion to entities: https://github.com/zencart/zencart/pull/1009/files

Things to note:
a) these code changes are based on the latest updates to the Admin sanitization code posted on github, which were updated since the Trustwave announcement was posted

b) you will still need to edit your html_header.php to bound all your metatags using single-quotes instead of double

c) you will also need to change all the str_replace('"', '', $foo) in meta_tags.php to replace single-quotes instead of double-quotes

d) and maybe zen_clean_html() might require customization.

And then do aggressive testing to ensure you haven't opened up any holes.

**Ryk** · 21 Jun 2016, 09:49 PM

Thanks for all that - this should hopefully persuade the client to use ins and ft instead of " and '

And in answer to your question about all 3 fields - in spite of advice, customers often know best ;-)