CRM-16360 - CiviCase XML - Escape ampersand

diff --git a/CRM/Case/BAO/CaseType.php b/CRM/Case/BAO/CaseType.php
index 00fa4f2fd5dbff9d5953436058601aa2f5460d31..cc512a2a6d49e4f3de355c5f03ad4058b31fa4cb 100644 (file)
--- a/CRM/Case/BAO/CaseType.php
+++ b/CRM/Case/BAO/CaseType.php
@@ -115,7 +115,7 @@ class CRM_Case_BAO_CaseType extends CRM_Case_DAO_CaseType {
    */
   public static function convertDefinitionToXML($name, $definition) {
     $xmlFile = '<?xml version="1.0" encoding="utf-8" ?>' . "\n\n<CaseType>\n";
-    $xmlFile .= "<name>{$name}</name>\n";
+    $xmlFile .= "<name>" . self::encodeXmlString($name) . "</name>\n";
 
     if (array_key_exists('forkable', $definition)) {
       $xmlFile .= "<forkable>" . ((int) $definition['forkable']) . "</forkable>\n";
@@ -126,7 +126,7 @@ class CRM_Case_BAO_CaseType extends CRM_Case_DAO_CaseType {
       foreach ($definition['activityTypes'] as $values) {
         $xmlFile .= "<ActivityType>\n";
         foreach ($values as $key => $value) {
-          $xmlFile .= "<{$key}>{$value}</{$key}>\n";
+          $xmlFile .= "<{$key}>" . self::encodeXmlString($value) . "</{$key}>\n";
         }
         $xmlFile .= "</ActivityType>\n";
       }
@@ -145,7 +145,7 @@ class CRM_Case_BAO_CaseType extends CRM_Case_DAO_CaseType {
                 foreach ($setVal as $values) {
                   $xmlFile .= "<ActivityType>\n";
                   foreach ($values as $key => $value) {
-                    $xmlFile .= "<{$key}>{$value}</{$key}>\n";
+                    $xmlFile .= "<{$key}>" . self::encodeXmlString($value) . "</{$key}>\n";
                   }
                   $xmlFile .= "</ActivityType>\n";
                 }
@@ -161,7 +161,7 @@ class CRM_Case_BAO_CaseType extends CRM_Case_DAO_CaseType {
               break;
 
             default:
-              $xmlFile .= "<{$index}>{$setVal}</{$index}>\n";
+              $xmlFile .= "<{$index}>" . self::encodeXmlString($setVal) . "</{$index}>\n";
           }
         }
 
@@ -176,7 +176,7 @@ class CRM_Case_BAO_CaseType extends CRM_Case_DAO_CaseType {
       foreach ($definition['caseRoles'] as $values) {
         $xmlFile .= "<RelationshipType>\n";
         foreach ($values as $key => $value) {
-          $xmlFile .= "<{$key}>{$value}</{$key}>\n";
+          $xmlFile .= "<{$key}>" . self::encodeXmlString($value) . "</{$key}>\n";
         }
         $xmlFile .= "</RelationshipType>\n";
       }
@@ -187,6 +187,21 @@ class CRM_Case_BAO_CaseType extends CRM_Case_DAO_CaseType {
     return $xmlFile;
   }
 
+  /**
+   * Ugh. This shouldn't exist. Use a real XML-encoder.
+   *
+   * Escape a string for use in XML.
+   *
+   * @param string $str
+   *   A string which should outputted to XML.
+   * @return string
+   * @deprecated
+   */
+  protected static function encodeXmlString($str) {
+    // PHP 5.4: return htmlspecialchars($str, ENT_XML1, 'UTF-8')
+    return htmlspecialchars($str);
+  }
+
   /**
    * Get the case definition either from db or read from xml file.
    *

diff --git a/tests/phpunit/CRM/Case/BAO/CaseTypeTest.php b/tests/phpunit/CRM/Case/BAO/CaseTypeTest.php
index a982911e2e807c553f55bcae58325c00d81ed79a..646312b54b7bc0895a73d37ed55485b95f6be36f 100644 (file)
--- a/tests/phpunit/CRM/Case/BAO/CaseTypeTest.php
+++ b/tests/phpunit/CRM/Case/BAO/CaseTypeTest.php
@@ -30,7 +30,7 @@ class CRM_Case_BAO_CaseTypeTest extends CiviUnitTestCase {
     $fixtures['one-item-in-each'] = array(
       'json' => json_encode(array(
         'activityTypes' => array(
-          array('name' => 'First act (foréign éxamplé)'),
+          array('name' => 'First act (foréign éxamplé, &c)'),
         ),
         'activitySets' => array(
           array(

diff --git a/tests/phpunit/CRM/Case/BAO/xml/one-item-in-each.xml b/tests/phpunit/CRM/Case/BAO/xml/one-item-in-each.xml
index d5c9dbec81af9866d15829e67cdf0223fd3b9da2..24452737619de59cd6556d80f189adc7d84ca86e 100644 (file)
--- a/tests/phpunit/CRM/Case/BAO/xml/one-item-in-each.xml
+++ b/tests/phpunit/CRM/Case/BAO/xml/one-item-in-each.xml
@@ -3,7 +3,7 @@
   <name>Housing Support</name>
   <ActivityTypes>
     <ActivityType>
-      <name>First act (foréign éxamplé)</name>
+      <name>First act (foréign éxamplé, &amp;c)</name>
     </ActivityType>
   </ActivityTypes>
   <ActivitySets>