Conflict between component item name and user data due to HTML escaping.
| Project: | Webform |
| Version: | 5.x-1.2 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Kyber |
| Status: | duplicate |
Jump to:
2 select fields were defined by user where the select value contained an &
In the data array for webform_component the & remained as is.
In the form results, written from the webpage where the text was escaped, the & was transformed into &
This caused match on the select value to fail in _webform_csv_data_select
I added the following workaround:
$item = str_replace('&', '&', $item);
just above
if (in_array($item,(array)$data['value']) === true) {
But that hack was specific to this case and doesn't handle the general issue of HTML encoding.
Additionally, the CSV field headers were pulled from the answers and thus had & transformed into amp by _webform_safe_name, which brought them into conflict with the actual field names on the web page where the safe name was generated from webform_component table thus Foo & Bar became Foo__Bar in one, and Foo_amp_Bar in the other.
I tagged this bug critical since it resulted in data corruption of the CSV. Your own call on this one I suppose.

#1
Make that
$item = str_replace('&', '&', $item);if (in_array($item,(array)$data['value']) === true) {
and, for that matter, following workaround in _webform_safe_name
$new = str_replace('&', '', $new);$new = preg_replace('/[^a-z0-9_]/', '', $new);
Neither of those are the right way to do it, obviously.
#2
This has been fixed finally in 1.x and 2.x branches in this ticket: http://drupal.org/node/150306. It will be in the 1.9 release of webform.