Fix double escaping bug #7552
Fix double escaping bug #7552
Conversation
mnapoli
added
Bug
mnapoli
force-pushed
the
double-escaping-bug
branch
2 times, most recently
from
8380e91
to
28c3cd1
Compare
|
UI tests show it broke the highlighting of the current searched site… |
|
It turns out autocompletion highlighting is broken on master. Go on the demo and try to autocomplete I think the problem is that the current autocomplete doesn't clear previous highlighted stuff, so it keeps adding What I suggest is to disable the autocompletion highlighting for now in this pull request and try to fix it later? |
|
(quoted from the other issue)
Here's an idea for a simpler hack that doesn't require skipping escaping via twig/angular (I think that's what's going on in this pull request): For 1), maybe we can create a new global var that uses the correct, unescaped site name. And for 2) can we fix users of the |
Does this mean they are double encoded? Or I guess escaped once so it can be just inserted in HTML? I don't know what over-escaped means.
Maybe siteNameUnescaped? I was thinking the old variable could be deprecated (in some manner), and maybe put out of use eventually when angular is used more in the UI. Of course that's quite a long way away, and #6714 could be accomplished well before then, so I guess it doesn't really matter how this is solved right now :) |
|
Answering @diosmosis's comments which for some reason ended up in my comment :)
No basically they are fetched from the HTTP API not escaped, i.e. once in the Javascript variable (in the Angular directive) they are not escaped, which is correct (no reason for a value to be stored escaped). At that point I manually escape them, so they end up "escaped" in the javascript variable, which I call "over-encoded" because at that point there is no reason that they should be escaped. I do that because all other variables are stored escaped in memory (which they shouldn't ideally, but…): that way everything is consistently escaped in memory. So when the variable is echo'ed by Angular into the HTML, it is normally escaped first (by Angular) but I disable that (given variables are already all escaped).
Yep why not. As you said "I guess it doesn't really matter how this is solved right now" I agree :) I've already spent 2 days of work on this bug (which is kind of depressing) I'd rather leave it be with the currently implemented solution unless we think another solution is much better |
I think it's a good solution that fixes the bug + introduces some consistency, so 👍 from me |
|
@tsteur would you mind review this one and +1 if it's valid solution (and xss safe)? |
|
I think it's XSS safe. For a better understanding: Could the AngularJS part be also solved by using Not sure how the SitesManager Controller change https://github.com/piwik/piwik/pull/7552/files#diff-d4d6201aa71999510eb45b144a549ef3R129 is related or whether it introduces any XSS. Couldn't find where it is used. |
| @@ -449,7 +449,7 @@ public function generateReport($idReport, $date, $language = false, $outputType | |||
| // render report | |||
| $description = str_replace(array("\r", "\n"), ' ', $report['description']); | |||
|
|
|||
| list($reportSubject, $reportTitle) = self::getReportSubjectAndReportTitle(Site::getNameFor($idSite), $report['reports']); | |||
| list($reportSubject, $reportTitle) = self::getReportSubjectAndReportTitle(html_entity_decode(Site::getNameFor($idSite)), $report['reports']); | |||
There was a problem hiding this comment.
Should Piwik::unsanitizeInputValue be used instead of html_entity_decode?
|
@tsteur I have answered your comment in the code parts you mentionned |
mnapoli
force-pushed
the
double-escaping-bug
branch
from
28c3cd1
to
662621b
Compare
|
I have fixed the |
Fix double escaping bug in site selector (when selecting site w/ special html chars, the name appears escaped). Includes small refactor to site selector, now instead of escaping selected site name on demand, site names are stored escaped in memory, and we bypass angular.js escaping. Also includes fix for related double encode bug in scheduled reports title.
Fixes #7531
More explanation in #7531 (comment)
I've also edited the CustomAlerts plugin and made a new release.