Joomla! Issue Tracker | Joomla! CMS #36299 - SimpleXMLElement::xpath(): Invalid predicate in /libraries/src/Form/Form.php on line 1682

No Code Attached Yet

Closed
13 Nov 2022
Medium
Build: 4.0-dev
# 36299

philip-sorokin
12 Dec 2021

Steps to reproduce the issue

Hi! Double quotes (and other special chars, I suppose) are not encoded and it causes problems with names containing ones:

$fields = $this->xml->xpath('//field[@name="' . $name . '" and not(ancestor::field/form/*)]');

Where $name must be sanitized before applying.

File /libraries/src/Form/Form.php

Joomla 3: line 1682
Joomla 4: line 1374

I don't know if there are other parts of the code that must be corrected.

philip-sorokin - open - 12 Dec 2021

joomla-cms-bot - change - 12 Dec 2021

Labels

Added: No Code Attached Yet

joomla-cms-bot - labeled - 12 Dec 2021

philip-sorokin - change - 12 Dec 2021

The description was changed

philip-sorokin - edited - 12 Dec 2021

joomdonation - change - 13 Nov 2022

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2022-11-13 09:58:15
Closed_By		⇒	joomdonation

joomdonation - close - 13 Nov 2022

joomdonation - comment - 13 Nov 2022

I'm closing this issue for now. While your finding is correct, most of the variable usage here is name of field, name of fieldset or group and should not contains special characters. Adding code to handle this case will make the code becomes unnecessary complicated. It has been working well for us for years, so I guess we do not really need to change it

If you do not agree, feel free to re-open and I will ask our maintainer team to check and reply you further. Thanks !

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#36299] - SimpleXMLElement::xpath(): Invalid predicate in /libraries/src/Form/Form.php on line 1682

Steps to reproduce the issue

Add a Comment