Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Paypal submits the IPN variables with apostrophes escaped as ' - this is displayed correctly in the table at admin/content/signup_pay, but when I click on edit, the form uses ' rather than an apostrophe. So my last name (O'Shea) becomes O'Shea. The same issue occurs in the log entries - the notice in watchdog about the POST variables displays the apostrophe, but the notice from signup_pay reads 'Payment from Bryan O'Shea ...'
Would it be acceptable/agreeable (before I make up a patch) to replace the string directly when receiving the IPN data (change ' to '), and then insert into the database, or would it be better to replace the string every time it is displayed later? I know that won't fix the watchdog issue, although that's not important. Having the form display the wrong value is the bigger issue.
I'll make the patch; just looking for which way to go.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | signup_pay.module_apostrophes.patch | 1.25 KB | obsidiandesign |
Comments
Comment #1
obsidiandesign commentedNot thinking things through, I made everything look the same.
The issue is ' becomes & #039; (space removed).
Comment #2
kbahey commentedWaiting for the patch. Would this be better handled centrally in simple_paypal, so all other modules that use it get fixed in one shot?
If so, then please change the project before submitting the patch.
Comment #3
obsidiandesign commentedAfter asking around in #drupal, the consensus was that it is the responsibility of the code outputting the text to filter it properly. The nice thing is, since the edit form fixes the apostrophe, if the form is saved, the other modules will get the display correct as well. It's only a true issue for modules that edit the text, since a browser will display the apostrophe instead of the HTML character code unless it's a form.
Patch attached. Tested on my installation.
Comment #4
kbahey commentedThis approach is not secure. See here for details http://drupal.org/node/165226#comment-887466
An acceptable approach can be found here http://drupal.org/node/266488#comment-898070
Comment #5
obsidiandesign commentedSorry, comparing it to check_plain, I realize I didn't pay enough attention (I thought check_plain used htmlspecialchars_decode, not htmlspecialchars).
Would
str_replace("& #039;", "'" $row->name);be considered secure & acceptable, since I'm really only looking to take care of the apostrophe itself? Both issues you posted deal with regexps for handling user input before it's entered into the database. Right now, PayPal's output is just inserted into the database, and my original idea was dealing with it on output.