0010901: We can't use & in custom field value and it's impossible search the first and last value from custom list - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0010901	mantisbt	custom fields	public	2009-09-03 16:34	2010-09-19 03:11

Reporter	bighux	Assigned To	dhx
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	duplicate
Platform	Apache 2.2.12 + PHP 5.3.0	OS	Windows	OS Version	XP
Product Version	1.2.0rc1
Target Version	1.3.0-beta.1

Summary	0010901: We can't use & in custom field value and it's impossible search the first and last value from custom list
Description	We can't use & in custom field value with type checkbox or multiselection list, otherwise the value is never selected in edit issue page. I don't have tried with others types. It's impossible search the first and last value when the type of field is checkbox (or Multiselection list).
Steps To Reproduce	1- Create custom field checkbox with 4 values (eg : value1\|value2\|value &3\|value4) with "Add to Filter" and "Display When Reporting Issues" checked 2- Assign field on the project 3- Create issue and check 4 checkbox 4- The issue information is displayed and it is correct 5- Click on edit issue 6- The checkbox value &3 isn't checked (it's a problem) 7- Go to View Issues page 8- Select in filters the custom field with value1 (or value4), apply filter 9- No issue found, it's a problem 10-If the value selected is value2 or value &3, the issue is displayed in the list
Tags	patch
Attached Files	bugMantisCustomField.png (2,626 bytes) bugMantisCustomField.png (2,626 bytes) bug_10901.diff (2,280 bytes) Nur in www/: config_inc.php. diff -ru mantis.build/core/cfdefs/cfdef_standard.php www/core/cfdefs/cfdef_standard.php --- mantis.build/core/cfdefs/cfdef_standard.php 2009-12-27 10:06:06.000000000 +0100 +++ www/core/cfdefs/cfdef_standard.php 2009-12-28 00:41:03.000000000 +0100 @@ -247,7 +247,7 @@ $t_selected_values = explode( '\|', $t_custom_field_value ); foreach( $t_values as $t_option ) { - if( in_array( $t_option, $t_selected_values, true ) ) { + if( in_array( htmlentities($t_option), $t_selected_values, true ) ) { echo '<option value="' . $t_option . '" selected="selected"> ' . $t_option . '</option>'; } else { echo '<option value="' . $t_option . '">' . $t_option . '</option>'; @@ -261,7 +261,7 @@ $t_checked_values = explode( '\|', $t_custom_field_value ); foreach( $t_values as $t_option ) { echo '<input ', helper_get_tab_index(), ' type="checkbox" name="custom_field_' . $p_field_def['id'] . '[]"'; - if( in_array( $t_option, $t_checked_values, true ) ) { + if( in_array( htmlentities($t_option), $t_checked_values, true ) ) { echo ' value="' . $t_option . '" checked="checked"> ' . $t_option . '  '; } else { echo ' value="' . $t_option . '"> ' . $t_option . '  '; diff -ru mantis.build/core/filter_api.php www/core/filter_api.php --- mantis.build/core/filter_api.php 2009-12-27 10:06:06.000000000 +0100 +++ www/core/filter_api.php 2009-12-28 00:44:18.000000000 +0100 @@ -1899,8 +1899,14 @@ switch( $t_def['type'] ) { case CUSTOM_FIELD_TYPE_MULTILIST: case CUSTOM_FIELD_TYPE_CHECKBOX: + $t_where_params[] = $t_filter_member . '\|%'; + array_push( $t_filter_array, db_helper_like( "$t_table_name.value" ) ); + $t_where_params[] = '%\|' . $t_filter_member; + array_push( $t_filter_array, db_helper_like( "$t_table_name.value" ) ); $t_where_params[] = '%\|' . $t_filter_member . '\|%'; array_push( $t_filter_array, db_helper_like( "$t_table_name.value" ) ); + $t_where_params[] = $t_filter_member; + array_push( $t_filter_array, db_helper_like( "$t_table_name.value" ) ); break; default: array_push( $t_filter_array, "$t_table_name.value = '" . db_prepare_string( $t_filter_member ) . "'" ); bug_10901.diff (2,280 bytes)

duplicate of	0011561	closed	dhx	Filtering for custom field types multilist and checkbox does not work
duplicate of	0003767	closed	grangeway	Enumeration Custum fields with html-special chars get unselected on bug-update
has duplicate	0011011	closed	dhx	Can't add UTF8 custom fields to the Manage columns enumeration
has duplicate	0011634	closed	dhx	using special characters on Custom Field name generates issue when trying to order by this CF
has duplicate	0011631	closed	dhx	Custom Fields with special characters in the name cause SQL errors on sort.

bighux 2009-09-22 11:13 reporter ~0023015	I have found the problem filter value (but not the bug with &)in /core/filter_api.php line 1878 Add the code bellow between array_push et break and it's work $t_where_params[] = $t_filter_member . '\|%'; array_push( $t_filter_array, db_helper_like( "$t_table_name.value" ) ); $t_where_params[] = '%\|' . $t_filter_member; array_push( $t_filter_array, db_helper_like( "$t_table_name.value" ) ); $t_where_params[] = $t_filter_member; array_push( $t_filter_array, db_helper_like( "$t_table_name.value" ) );

biitli 2009-11-12 05:43 reporter ~0023680	I have the same problem with Mantis 1.1.8. Maybe it is a problem with usage of html entities? '&' seems to be stored as '&' and compared with '&' (or vice versa)

yw84ever 2009-11-12 06:49 reporter ~0023684	biitli: remove your sponsoring by sponsoring an amount of $0

andygrunwald 2009-12-27 18:58 reporter ~0023991 Last edited: 2009-12-27 19:00	Hey, i had a deeper look in this bug. There are two different issues: a) a filter bug (to build the correct search query for custom fields) b) a custom field display bug bighux writes down a solution for part a. This solutions works fine in my tests. Thanks for this bighux. biitli gives me a hint for part b of this bug. so i went down into the sourcecode to fix it. My solution works fone in my tests, too. My patch is added. this patch is based on the nightly build mantisbt-1.3.0dev-2009-12-27-master-8c404a1.tar. I hope there are no code changed between mantisbt-1.3.0dev-2009-12-27-master-8c404a1.tar and MantisBT 1.2.0 RC2 to get this patch in 1.2.0 Have a nice day, Andy

dhx 2010-03-12 08:32 reporter ~0024711	The filtering bug has been fixed in 0011561 Thanks Andy for your patch! I actually did the same thing as your patch without seeing this bug first. However, the approach of using multiple LIKE queries is poor and unintended, so the 2nd patch in 0011561 fixes it more properly. I'll keep this bug open to keep track of the other issue at hand here (using ampersands and other special characters in a custom field name/values).

dhx 2010-03-12 09:14 reporter ~0024716	Please see duplicate issue 0003767 for further updates and discussion. This bug is OLD :(