search

FoxyCart / FoxyCart-Cart-Validation--PHP

Automatically sign (with HMAC SHA-256) all links and forms in a block of HTML
http://wiki.foxycart.com/static/redirect/price_validation
13 stars 9 forks source link

Invalid handling for SELECT menu options #1

Closed pixelchutes closed 14 years ago

pixelchutes commented 14 years ago

I am seeing some incomplete behavior with regards to <select> <option> hashing:

<select name="quantity"> <option value="1">1</option> <option value="2">2</option> <option value="3">3</option> </select>

is becoming:

<select name="quantity"> <option value=||c49e975314be4d896d4f32bf6f087583834fb6032d4a31ad060ab18d1ad8167a">1</option> <option value=||d4a8aa60da2bbdf94e0af8473cd0a593ac1463cf75a41aa990bcce59ab628389">2 <option value=||0051cdc38ae629b31ece002de6ea7c199588d88f59325a263684a06afe10667e">3</option> </select>

The conversion is not occurring correctly for my Quantity drop down, since <option value="1">1</option> is becoming <option value=||c49e975314be4d896d4f32bf6f087583834fb6032d4a31ad060ab18d1ad8167a">1</option>

(NOTE: missing starting quotation marks + source value)

I was able to get this working as expected by changing Line 243 to the following:

#$option_signed = preg_replace('%([\'"])'.preg_quote($option[2]).'\1%', "$1".self::fc_hash_value($code, $list[2], $option[2], 'value', FALSE)."$1", $option[0]);
$option_signed = preg_replace('%('.preg_quote($option[1]).')'.preg_quote($option[2]).preg_quote($option[1]).'%', $option[1].self::fc_hash_value($code, $list[2], $option[2], 'value', FALSE).$option[1], $option[0]);

...it seemed the "$1" on "$1".self::fc_hash was somehow related to the behavior I was seeing, but should be perfectly valid to reference $option[1] created from the first preg_match_all call.

brettflorio commented 14 years ago

Nice catch. Fixed in badbdcbd524d9822a95ad00c1af2a025e47f0373.