Inside commerce_customer_commerce_checkout_pane_info() the title is ran through check_plain but in commerce_checkout_form() it is also ran through check_plain().

I'm assuming the one in commerce_customer_commerce_checkout_pane_info was a mistake so attaching a patch to remove it....

Files: 
CommentFileSizeAuthor
#1 commerce-double_check_plain-1883308-1.patch745 bytesmjpa
PASSED: [[SimpleTest]]: [MySQL] 3,570 pass(es).
[ View ]

Comments

Status:Active» Needs review
StatusFileSize
new745 bytes
PASSED: [[SimpleTest]]: [MySQL] 3,570 pass(es).
[ View ]

The patch...

Status:Needs review» Reviewed & tested by the community

Very timely, I was just coming here to report the same issue after digging through commerce_customer and i18n.

Without the patch you can end up with panes titled like "Adresse d'expédition".

Thanks @mjpa!

Steps to reproduce:

  1. Install Commerce Kickstart with Localization enabled.
  2. Add a new language.
  3. Navigate to admin/config/regional/translate/translate and translate "Billing information" or "Shipping information" to something that has an apostrophe or ampersand in it.
  4. View the checkout form in the new language you added. The apostrophes, ampersands, etc. are double encoded.

Status:Reviewed & tested by the community» Fixed

Found another instance in the checkout pane settings form where we used check_plain() for a select form element's options list, which also resulted in double sanitization. Thanks, mjpa!

Commit: http://drupalcode.org/project/commerce.git/commitdiff/bcd81f5

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.