since $HTML_SUBST contains '&' => '&', all the &xxx; characters are broken in displayecard.php because of line 43foreach($data as $key => $value) $data[$key] = strtr($value, $HTML_SUBST);
When you click on the ecard the link that takes you to the gallery, if you used an apostrophe in your title of message, it gets replaced with '
Try it it: http://206.125.210.89/cpg148/displayimage.php?album=3&pos=2
you are right
"Alternate link if the e-card does not display correctly" will send you to displaycard.php and here we have " instead of " (every special charcter get filtered)
I think it's a bug
Yes, I've noticed this too, it's not just the apostrophe, these characters are also a problem " & < >.
Doesn't matter where they appear, in the subject line, message body or sender name, always get switched.
Only a problem when viewed via displayecard.php.
In displayecard.php:
FIND:
foreach($data as $key => $value) $data[$key] = strtr($value, $HTML_SUBST);
REPLACE with:
foreach($data as $key => $value) $data[$key] = html_entity_decode(strtr($value, $HTML_SUBST));
Since the encoding is a security feature, I'll need another dev to confirm it is okay to decode the html entities before committing the fix to svn.
Merged two threads reporting the same issue. :)
Hm, this has to be considered thoroughly indeed: a link can only make it into those fields using bbcode, so we have to rely on the bbcode mechamisms to make sure no malevolent link can make it into the output. Imo, the code fix you suggested should go into the core, as there's nothing particularly different in ecards than in any other regular coppermine page that outputs user input on a page.
Yes, Thu: please go ahead and commit.
Fix committed to svn in stable and devel branches.
html_entity_decode() is a PHP 4.3 function, you can't use that without raising the minimum requirements.
You can use
strtr($value, array_flip($HTML_SUBST));
instead.