search

statamic / v2-hub

Statamic 2 - Feature Requests and Bug Reports
https://statamic.com
95 stars 5 forks source link

Bug and fix: Form Input is sanitized incorrectly #2451

Open RafaelKr opened 4 years ago

RafaelKr commented 4 years ago

Describe the bug When submitting a form, the input is sanitized by using the PHP function htmlentities. Unfortunately this also replaces german umlauts with htmlentities. So I get incorrect data.

Example:

Input: äöüß
Result: äöüß

To Reproduce Steps to reproduce the behavior:

  1. Create a form "Test"
  2. Submit text with Umlauts
  3. Go to the Control Panel Page "Forms"
  4. Select the "Test" form and see the input.

Expected behavior Umlauts should be kept.

Environment details (please complete the following information):

Fix of the problem

eminos commented 4 years ago

I ran into this issue a few days ago. I noticed it in the email being sent out. For the text version of the email I solved it by piping the variable through decode. The HTML version of the email worked fine obviously, without decoding.

But it seems this is a bug if it shows htmlentities in the control panel page as well.

RafaelKr commented 4 years ago

I just found this related issue: https://github.com/statamic/v2-hub/issues/2386

jackmcdade commented 4 years ago

You're definitely on the right spot of the code that's the issue here. Whether the suggested fix is the right one though is a different matter. Changing htmlentities to htmlspecialchars may cause a number of unintended consequences elsewhere sanitize() has been used. We'll need to look into it. I can't promise a date, but I can promise we'll see if we can resolve it.