HTML entities in data passed to hook

[thesba_rewilliams]

I have a module that latches on to a few hooks, including ClientAdd and ClientEdit. When WHMCS calls my hooks, the fields passed to my module in the array are HTML entity-encoded. For example, if the company name is "John & Jane's Shop", it gets passed to my module as "John & Jane's Shop". I also noticed that the values are stored in the tblcients table encoded, as well, as though everything were being encoded up-front with the assumption that it will only ever be displayed in HTML output.

 

Is this encoding behavior a bug or expected, correct behavior? Put another way, should I make a point of decoding before working with the data (and encoding before updating anything in the database), or might the behavior change in the future when you fix something?

[disgruntled]

it is the expected behaviour for the program, anything that will only be used in html output will be html encoded. if there is a change in the future then you will get notice of this in the change log for any update. i would go ahead and develop for html entities to be a fixed feature.

[thesba_rewilliams]

Pre-encoding things going into the database certainly strikes me as an, erm, unusual approach, but okay. Is there at least a reference list somewhere that lists which columns in which tables should be encode?

[thesba_rewilliams]

Incidentally, I suggest to the WHCMS team to document this, in bold, somewhere in the docs about modules. You're told how to access the database, but not that you need to encode and decode data even if you're not working with HTML. If someone doesn't catch this in testing like we did, it could lead to some rather substantial security problems.