@flamisz opened this Pull Request on April 18th 2021 Contributor

Description:

fixes: #14065

Review

  • [ ] Functional review done
  • [ ] Potential edge cases thought about (behavior of the code with strange input, with strange internal state or possible interactions with other Matomo subsystems)
  • [ ] Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
  • [ ] Security review done see checklist
  • [ ] Code review done
  • [ ] Tests were added if useful/possible
  • [ ] Reviewed for breaking changes
  • [ ] Developer changelog updated if needed
  • [ ] Documentation added if needed
  • [ ] Existing documentation updated if needed
@flamisz commented on April 18th 2021 Contributor

The problem what I found was that we use htmlspecialchars on the title before we save it to the db, and we double encode it in the twig file. We put into the DOM at line 83 (but this is hidden on the page), and than we use this already encoded version at line 88.

https://github.com/matomo-org/matomo/blob/84b9f9c33ce6402556008c8764a79747f24b5b0f/plugins/Live/templates/getLastVisitsStart.twig#L83-L88

@diosmosis commented on April 18th 2021 Member

LGTM and works locally, merging

@tsteur commented on April 19th 2021 Member

|raw would that be causing any security issue? Like when title maybe contains {{ and }}? Would we need to use something like |rawSafeDecoded? Or if we ever tracked title not encoded in the past could this cause an issue?

This Pull Request was closed on April 18th 2021
Powered by GitHub Issue Mirror