[Issue Tracker] Description and special characters decoding fix #6643
Conversation
70a1419 to
8d5c90a
Compare
christinerogers
left a comment
There was a problem hiding this comment.
Looks fine by me.
Just to check -- @laemtl Is this the same way we strip / clean special character input elsewhere in the codebase?
@ridz1208 or @johnsaigle or @driusan can you comment/review? re using html_entity_decode
@pierre-p-s Do you have time to pull and test?
|
@laemtl were you able to identify where it was being encoded in the first place ? the PR @johnsaigle linked in the issue (#6223) was the result of sequentially encoding the data during the process of saving. Is it the same case here ? is the data being encoded several times before being saved and if so, can you identify where it is happening ? |
|
@ridz1208 Yes, it is the same case here, encoding happens on save, so the encoded version is saved in the db. My understanding of the problem is the data is not encoded twice, but the string is not decoded on load so the encoded characters are interpreted as plain text. |
|
@laemtl yeah I just did my own little investigation. your are correct. It is slightly different then the instrument bug because in this case its a single escape happening but when the data is loaded, it's being loaded into a static field and the browser does not seem to un-escape static fields. so the bug here is not to remove an escaping step but rather to add an unescaping step which brings the question @johnsaigle whats the use of escaping the data if it's gonna get unescaped before being sent to the browser... |
The best way to handle data safely is to:
We have a bunch of escaping/unescaping because:
I'll make a detailed issue about this because this is a problem that we should track and it would be best to have a place I can refer people to to explain why the codebase behaves the way it does. |
|
@johnsaigle what would be your recommendation for this release ? just unescape the HTML for now ? |
|
@ridz1208 Yeah this is a very deep and longstanding problem. We won't be able to solve it for this release. Until we have the time and will to fix the root of this problem, we will have to keep unescaping things as bugs arise. |
| $issueData['whoami'] = $username; | ||
| $issueData['othersWatching'] = getWatching($issueID); | ||
| $issueData['desc'] = $desc[0]['issueComment'] ?? ''; | ||
| $issueData['desc'] = html_entity_decode($comment) ?? ''; |
There was a problem hiding this comment.
Can you add a comment (to the code) explaining why this should be safe from XSS attacks?
There was a problem hiding this comment.
@driusan I approved the PR, can you just make sure the comment added is good for you ?
8d5c90a to
8610f36
Compare
8610f36 to
9a33353
Compare
Minor fix to decode an issue description special characters (&<>).