#1 2013-11-12 13:20:21

wal_toor
Member
From: The Netherlands
Registered: 2013-07-25
Posts: 17

Single quote gives parse error

Hi all,

I have found this bug. Using a single quote in either the title or the bodytext of a page/article results in a parse error (Ionize 1.0.4).

I have this article that has this title:

From 12-14 September 2013, Moscow's Expocenter hosted United Coffee and Tea Industry Event

This shows me an error:

Parse error: syntax error, unexpected T_STRING in /Applications/MAMP/htdocs/site/application/libraries/ftl/parser.php(289) : eval()'d code on line 653
Array
(
)

Tag error : <ion: >
PHP error : syntax error, unexpected T_STRING
in expression : 
file : /Applications/MAMP/htdocs/site/application/libraries/ftl/parser.php(289) : eval()'d code

The same happens if there is a single quote in the body text.

Is there a fix for this?

greetz,
walter

Last edited by wal_toor (2013-11-21 16:39:28)

Offline

#2 2013-11-21 16:24:58

wal_toor
Member
From: The Netherlands
Registered: 2013-07-25
Posts: 17

Re: Single quote gives parse error

Hi all,

So, no one has had this problem. I am running a local server, development server and live server, and all three servers have this problem (this is also the problem is you use a single quote in the body text). If I create a var_dump in the parser file:

protected function get_eval($string)
	{
		var_dump($string);
		// Extract PHP data before eval.
		// It contains an array, that will be available for the PHP code.
		if ($this->php_data)
			extract($this->php_data);
		return eval('?>'.$string.'<?php ');
	}

The source code (of the parsed article content) is like this:

$article_content = '<p>show me a single's quote</p>';

You see that this single quote destroys the entire page.

To make things worse, I can insert (in the wysiwyg editor) my own php code like this:

some strange characters ? asd == | <?php   ?> %2'; echo "so something crazy here, like evil php functions"; '

Not good.

I have also tried to change the Tiny MCE settings, but this didn't work:

entity_encoding : 'named',
entity_encoding : 'numeric',

Where do I need te addslashes?

I am currently searching in the article_model.php in the save function.

greetz,
walter

Offline

#3 2013-11-21 16:38:50

wal_toor
Member
From: The Netherlands
Registered: 2013-07-25
Posts: 17

Re: Single quote gives parse error

Okay, we found an quick fix for this problem. In the article_model.php and the page_model.php

article_model.php

	/**
	 * Saves the article
	 *
	 * @param 	array	Standard data table
	 * @param 	array	Lang depending data table
	 *
	 * @return	int		Articles saved ID
	 *
	 */
	public function save($data, $lang_data)
	{
		// New article : Created field
		if( ! $data['id_article'] OR $data['id_article'] == '')
			$data['created'] = $data['updated'] = date('Y-m-d H:i:s');
		// Existing article : Update date
		else
			$data['updated'] = date('Y-m-d H:i:s');

		// Dates
		$data = $this->_set_dates($data);

		// single quote fix
		foreach($lang_data as $i => $fix) {
			if(isset($fix['title'])) {
				$fix['title'] = str_replace("'", "&apos;", $fix['title']);
			}

			if(isset($fix['content'])) {
				$fix['content'] = str_replace("'", "&apos;", $fix['content']);
			}

			$lang_data[$i] = $fix;
		}
		// end single quote fix

		// Article saving
		return parent::save($data, $lang_data);
	}

page_model.php

	/**
	 * Saves one Page
	 *
	 * @param	array		Page data table
	 * @param	array		Page Lang depending data table
	 *
	 * @return	int			The inserted / updated page ID
	 *
	 */
	public function save($data, $lang_data)
	{
		// Dates
		$data = $this->_set_dates($data);

		// Correct level regarding to the parent
		if (isset($data['id_parent']))
		{
			$parent_array = $this->get_parent_array($data['id_parent']);
			$data['level'] = count($parent_array);
		}

		// Correct child pages
		if ( ! empty($data['id_page']))
		{
			$page = $this->get_by_id($data['id_page']);
			if ($page['id_menu'] != $data['id_menu'])
			{
				$this->update_pages_menu($data['id_page'], $data['id_menu']);
			}
		}

		// single quote fix
		foreach($lang_data as $i => $fix) {
			if(isset($fix['title'])) {
				$fix['title'] = str_replace("'", "&apos;", $fix['title']);
			}

			$lang_data[$i] = $fix;
		}
		// end single quote fix

		// Clean metas data
		$lang_data = $this->_clean_meta_data($lang_data);

		// Base model save method call
		return parent::save($data, $lang_data);
	}

greetz,
walter

Offline

#4 2013-12-17 10:17:44

damascus
Member
From: Brisbane, Australia
Registered: 2013-04-08
Posts: 270
Website

Re: Single quote gives parse error

Strange, never had that happen to me...

Did you try using data-formatting attributes/tag-syntax from http://doc.ionizecms.com/tags-reference … attributes ?

If need be, try defining a helper function that using stripslashes or similar code.

At the very least, there are several string escape functions that are far better than a hard-coded str_replace.


Webmaster | OneCNC Australia

Offline

#5 2016-05-12 20:08:12

dh-webservice.eu
Member
From: Merano, Italy
Registered: 2015-10-14
Posts: 51
Website

Re: Single quote gives parse error

I am using Ionize 1.0.7.
If you use single quotes " ' " in an article in the content section and you want to put it out in your front end with <ion:content /> it happens, that your site does not load, you receive an empty "white" html file with no error message.
In that case I can recommend a very good solution
- open the file application/libraries/ftl/binding.php
- go to line number 493
- remove the line with the "-" and add the line with the "+"

 			if (is_array($data_array) && isset($data_array[$key]))
-				return $data_array[$key];
+			{
+				// ensure single quotes do not break parser eval
+				return str_replace('\'', '&#39;', $data_array[$key]);
+			}
 		}

I found the solution on Github:
https://github.com/ionize/ionize/pull/3 … 08b00cdf1e

Last edited by dh-webservice.eu (2016-05-26 17:32:49)


Ionize Fan from Northern Italy ;-)

Offline

What's Ionize ?

Ionize is an Open Source Content Management System created by webdesigners for webdesigners.

Created and maintained by Partikule and Toopixel, Ionize wants to be the easiest and most powerful CMS.

Can I help ?

Because talent is nothing without involvement, we are looking for motivated coders and webdesigners to join the project team.

Resources

Website : ionizecms.com
Documentation : doc.ionizecms.com

Development : Ionize on GitHub
Translations : Ionize Translations