Index: branches/5.2.x/units/gateways/gw_tag_processor.php
===================================================================
diff -u -N -r15600 -r15854
--- branches/5.2.x/units/gateways/gw_tag_processor.php (.../gw_tag_processor.php) (revision 15600)
+++ branches/5.2.x/units/gateways/gw_tag_processor.php (.../gw_tag_processor.php) (revision 15854)
@@ -1,6 +1,6 @@
ConfigValues[$id]) ? $this->ConfigValues[$id] : '';
if ( !array_key_exists('no_special', $params) || !$params['no_special'] ) {
- $value = htmlspecialchars($value, null, CHARSET);
+ $value = kUtil::escape($value);
}
if ( getArrayValue($params, 'checked') ) {
Index: branches/5.2.x/units/gateways/gw_classes/ideal_nl.php
===================================================================
diff -u -N -r15600 -r15854
--- branches/5.2.x/units/gateways/gw_classes/ideal_nl.php (.../ideal_nl.php) (revision 15600)
+++ branches/5.2.x/units/gateways/gw_classes/ideal_nl.php (.../ideal_nl.php) (revision 15854)
@@ -1,6 +1,6 @@
FindChildValue('message');
$this->parsed_responce['XML'] = $transaction_xml;
$this->Application->SetVar('failure_template', $this->Application->RecallVar('gw_cancel_template'));
- $this->parsed_responce['MESSAGE'] = $error_msg ? $error_msg : 'Unknown gateway error ('.htmlspecialchars($transaction_xml, null, CHARSET).')';
+ $this->parsed_responce['MESSAGE'] = $error_msg ? $error_msg : 'Unknown gateway error ('.kUtil::escape($transaction_xml, kUtil::ESCAPE_HTML).')';
return false;
}
Index: branches/5.2.x/units/shipping_quote_engines/usps.php
===================================================================
diff -u -N -r15568 -r15854
--- branches/5.2.x/units/shipping_quote_engines/usps.php (.../usps.php) (revision 15568)
+++ branches/5.2.x/units/shipping_quote_engines/usps.php (.../usps.php) (revision 15854)
@@ -1,6 +1,6 @@
';
$api_query = 'IntlRate';
}
- $request = 'API='.$api_query.'&XML=' . urlencode($request);
+ $request = 'API='.$api_query.'&XML=' . kUtil::escape($request, kUtil::ESCAPE_URL);
$body = $this->PostQuery($request);
$body = str_replace(chr(146), '', $body); // for bad `
@@ -937,7 +937,7 @@
// die($request);
- $request = 'API='.$api_query.'&XML='.urlencode($request);
+ $request = 'API='.$api_query.'&XML='.kUtil::escape($request, kUtil::ESCAPE_URL);
$body = $this->PostQuery($request, 1);
@@ -1079,7 +1079,7 @@
$request = '';
$api_query = 'TrackV2';
- $request = 'API='.$api_query.'&XML='.urlencode($request);
+ $request = 'API='.$api_query.'&XML='.kUtil::escape($request, kUtil::ESCAPE_URL);
$body = $this->PostQuery($request);
// check for errors
Index: branches/5.2.x/units/gateways/gw_classes/google_checkout.php
===================================================================
diff -u -N -r15600 -r15854
--- branches/5.2.x/units/gateways/gw_classes/google_checkout.php (.../google_checkout.php) (revision 15600)
+++ branches/5.2.x/units/gateways/gw_classes/google_checkout.php (.../google_checkout.php) (revision 15854)
@@ -1,6 +1,6 @@
- '.htmlspecialchars($order_item['ProductName'], null, CHARSET).'
- '.htmlspecialchars($order_item[$ml_formatter->LangFieldName('DescriptionExcerpt')], null, CHARSET).''.
+ '.kUtil::escape($order_item['ProductName'], kUtil::ESCAPE_HTML).'
+ '.kUtil::escape($order_item[$ml_formatter->LangFieldName('DescriptionExcerpt')], kUtil::ESCAPE_HTML).''.
$this->getPriceXML('unit-price', $order_item['Price']).'
'.$order_item['Quantity'].'
';
@@ -102,7 +102,7 @@
$shipping_xml = '';
foreach ($shipping_types as $shipping_name) {
- $shipping_xml .= '
+ $shipping_xml .= '
0.00
';
}
@@ -390,7 +390,7 @@
$shipping_name = $shipping_type['ShippingName'];
$processable_shipping_index = array_search($shipping_name, $process_shippings);
if ($processable_shipping_index !== false) {
- $shipping_types_xml .= '
+ $shipping_types_xml .= '
'.sprintf('%01.2f', $shipping_type['TotalCost']).'
true
';
@@ -402,7 +402,7 @@
// add unavailable shipping types
foreach ($process_shippings as $shipping_name) {
- $shipping_types_xml .= '
+ $shipping_types_xml .= '
0.00
false
';
Index: branches/5.2.x/units/shipping_quote_engines/intershipper.php
===================================================================
diff -u -N -r15141 -r15854
--- branches/5.2.x/units/shipping_quote_engines/intershipper.php (.../intershipper.php) (revision 15141)
+++ branches/5.2.x/units/shipping_quote_engines/intershipper.php (.../intershipper.php) (revision 15854)
@@ -1,6 +1,6 @@
$val) {
- $b[] = $key.'='.urlencode(trim($val));
+ $b[] = $key.'='.kUtil::escape(trim($val), kUtil::ESCAPE_URL);
}
//the last one is CUSTOMINFO according to GW specs, passing the atosorigin-style 'caddie'
$b = join($separator, $b);
Index: branches/5.2.x/units/product_options/product_options_tag_processor.php
===================================================================
diff -u -N -r15600 -r15854
--- branches/5.2.x/units/product_options/product_options_tag_processor.php (.../product_options_tag_processor.php) (revision 15600)
+++ branches/5.2.x/units/product_options/product_options_tag_processor.php (.../product_options_tag_processor.php) (revision 15854)
@@ -1,6 +1,6 @@
GetID(), $options) ? $options[$object->GetID()] : '';
if ( $object->GetDBField('OptionType') == OptionType::CHECKBOX ) {
- $selected = is_array($option_value) && in_array(htmlspecialchars($val, null, CHARSET), $option_value);
+ $selected = is_array($option_value) && in_array(kUtil::escape($val), $option_value);
}
else { // radio buttons ?
$selected = htmlspecialchars_decode($option_value) == $val;
Index: branches/5.2.x/units/products/products_tag_processor.php
===================================================================
diff -u -N -r15540 -r15854
--- branches/5.2.x/units/products/products_tag_processor.php (.../products_tag_processor.php) (revision 15540)
+++ branches/5.2.x/units/products/products_tag_processor.php (.../products_tag_processor.php) (revision 15854)
@@ -1,6 +1,6 @@
Application->HREF('__default__', '', Array ('pass_category' => 1)));
+ $params['continue'] = kUtil::escape($this->Application->HREF('__default__', '', Array ('pass_category' => 1)), kUtil::ESCAPE_URL);
return $this->Application->ProcessParsedTag('m', 'Link', $params);
}
Index: branches/5.2.x/units/order_items/order_items_tag_processor.php
===================================================================
diff -u -N -r15600 -r15854
--- branches/5.2.x/units/order_items/order_items_tag_processor.php (.../order_items_tag_processor.php) (revision 15600)
+++ branches/5.2.x/units/order_items/order_items_tag_processor.php (.../order_items_tag_processor.php) (revision 15854)
@@ -1,6 +1,6 @@
= 0 ? '+' : '-';
}
- $block_params['value'] = htmlspecialchars($val, null, CHARSET);
+
+ // TODO: consider escaping in template instead
+ $block_params['value'] = kUtil::escape($val);
$block_params['type'] = $key_data['OptionType'];
}
$o .= $this->Application->ParseBlock($block_params, 1);
@@ -176,7 +178,10 @@
foreach ($values as $val) {
$i++;
$val = htmlspecialchars_decode($val);
- $block_params['value'] = htmlspecialchars($val, null, CHARSET);
+
+ // TODO: consider escaping in template instead
+ $block_params['value'] = kUtil::escape($val);
+
if ($price_types[$val] == '$') {
$iso = $this->GetISO($params['currency']);
$value = $this->AddCurrencySymbol(sprintf("%.2f", $this->ConvertCurrency($prices[$val], $iso)), $iso, true); // true to force sign