! Release 2.2 Beta
$ config.php
+30-Sep-2009 Janusz Dobrowolski
+! Single quotes also encoded before database data insert
+$ /admin/db/maintenance_db.inc
+ /includes/db/connect_db.inc
+ /reporting/includes/tcpdf.php
+ /sales/includes/cart_class.inc
+
29-Sep-2009 Tom Hallman
! Changes in tags table structure, tags related security areas
$ /includes/access_levels.inc
$out.="# Backup Date and Time: ".date("Y-m-d H:i")."\n";
$out.="# Built by " . $app_title . " " . $version ."\n";
$out.="# ".$power_url."\n";
- $out.="# Company: ". @html_entity_decode($company, ENT_COMPAT, $_SESSION['language']->encoding)."\n";
+ $out.="# Company: ". @html_entity_decode($company, ENT_QUOTES, $_SESSION['language']->encoding)."\n";
$out.="# User: ".$_SESSION["wa_current_user"]->name."\n\n";
// write users comment
// run through each field
for ($k = 0; $k < $nf = db_num_fields($res2); $k++)
{
- $out .= db_escape(@html_entity_decode($row2[$k], ENT_COMPAT, $_SESSION['language']->encoding));
+ $out .= db_escape(@html_entity_decode($row2[$k], ENT_QUOTES, $_SESSION['language']->encoding));
if ($k < ($nf - 1))
$out .= ", ";
}
function db_escape($value = "", $nullify = false)
{
- $value = @htmlspecialchars($value, ENT_COMPAT, $_SESSION['language']->encoding);
+ $value = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding);
//reset default if second parameter is skipped
$nullify = ($nullify === null) ? (false) : ($nullify);
*/
function unhtmlentities($text_to_convert) {
if (!$this->isunicode) {
- return html_entity_decode($text_to_convert);
+ return html_entity_decode($text_to_convert, ENT_QUOTES);
}
return html_entity_decode_php4($text_to_convert);
}
$this->trans_no = 0;
$this->order_no= $this->trans_type==ST_CUSTDELIVERY ? key($src->trans_no) : $src->order_no;
}
- $this->reference = @html_entity_decode($this->reference);
- $this->Comments = @html_entity_decode($this->Comments);
+ $this->reference = @html_entity_decode($this->reference, ENT_QUOTES);
+ $this->Comments = @html_entity_decode($this->Comments, ENT_QUOTES);
foreach($this->line_items as $lineno => $line) {
- $this->line_items[$lineno]->stock_id = @html_entity_decode($line->stock_id);
- $this->line_items[$lineno]->item_description = @html_entity_decode($line->item_description);
+ $this->line_items[$lineno]->stock_id = @html_entity_decode($line->stock_id, ENT_QUOTES);
+ $this->line_items[$lineno]->item_description = @html_entity_decode($line->item_description, ENT_QUOTES);
}
switch($this->trans_type) {
case ST_SALESINVOICE: