From 489c1da8f25c918bd7f0817a0adf0183e6e971e9 Mon Sep 17 00:00:00 2001 From: Josh McCullough Date: Tue, 22 Oct 2024 15:29:47 -0400 Subject: [PATCH 1/2] decode HTML entities in REST/JSON service --- public/legacy/service/core/REST/SugarRestJSON.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/public/legacy/service/core/REST/SugarRestJSON.php b/public/legacy/service/core/REST/SugarRestJSON.php index 65d0974f5c..a4cd995904 100755 --- a/public/legacy/service/core/REST/SugarRestJSON.php +++ b/public/legacy/service/core/REST/SugarRestJSON.php @@ -84,7 +84,7 @@ public function generateResponse($input){ */ public function serve(){ $GLOBALS['log']->info('Begin: SugarRestJSON->serve'); - $json_data = !empty($_REQUEST['rest_data'])? $GLOBALS['RAW_REQUEST']['rest_data']: ''; + $json_data = html_entity_decode(!empty($_REQUEST['rest_data'])? $GLOBALS['RAW_REQUEST']['rest_data']: ''); if(empty($_REQUEST['method']) || !method_exists($this->implementation, $_REQUEST['method'])){ $er = new SoapError(); $er->set_error('invalid_call'); From e9541362989101e9a9f49c7d68bfb0bce4f9ceb6 Mon Sep 17 00:00:00 2001 From: Josh McCullough Date: Wed, 23 Oct 2024 15:24:22 -0400 Subject: [PATCH 2/2] add $raw_json_data variable; clean up HTML entity decoding --- public/legacy/service/core/REST/SugarRestJSON.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/public/legacy/service/core/REST/SugarRestJSON.php b/public/legacy/service/core/REST/SugarRestJSON.php index a4cd995904..71bd7e6459 100755 --- a/public/legacy/service/core/REST/SugarRestJSON.php +++ b/public/legacy/service/core/REST/SugarRestJSON.php @@ -84,7 +84,9 @@ public function generateResponse($input){ */ public function serve(){ $GLOBALS['log']->info('Begin: SugarRestJSON->serve'); - $json_data = html_entity_decode(!empty($_REQUEST['rest_data'])? $GLOBALS['RAW_REQUEST']['rest_data']: ''); + $raw_json_data = $GLOBALS['RAW_REQUEST']['rest_data']; + $json_data = !empty($raw_json_data)? html_entity_decode($raw_json_data): ''; + if(empty($_REQUEST['method']) || !method_exists($this->implementation, $_REQUEST['method'])){ $er = new SoapError(); $er->set_error('invalid_call');