Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Comments

HTMLSpecialChars() Double escaping default to false#9557

Merged
driusan merged 3 commits intoaces:mainfrom
KLaFleur:double_escaping_for_26
Feb 18, 2025
Merged

HTMLSpecialChars() Double escaping default to false#9557
driusan merged 3 commits intoaces:mainfrom
KLaFleur:double_escaping_for_26

Conversation

@KLaFleur
Copy link
Contributor

@KLaFleur KLaFleur commented Feb 11, 2025

Brief summary of changes

updated all instances of htmlspecialchars() to turn off double escaping

@KLaFleur KLaFleur requested review from driusan and ridz1208 February 11, 2025 22:18
KLaFleur
KLaFleur commented Feb 12, 2025
View reviewed changes
php/installer/Installer.class.inc
Copy link
Contributor Author

@KLaFleur KLaFleur Feb 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wasn't totally sure about this one

Copy link
Collaborator

@driusan driusan Feb 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better to be more aggressive than less in updating these

@driusan
Copy link
Collaborator

driusan commented Feb 12, 2025

Can you rebase this on main?

@KLaFleur KLaFleur changed the base branch from 26.0-release to main February 12, 2025 16:45
@KLaFleur
Copy link
Contributor Author

KLaFleur commented Feb 12, 2025

Can you rebase this on main?

Is this what you meant? Or a rebase via my VM and resending the code

@driusan
Copy link
Collaborator

driusan commented Feb 12, 2025

You need to do both as it now includes unrelated changes. git rebase aces/main and then git push --force should work without closing and resending.

@KLaFleur
Copy link
Contributor Author

KLaFleur commented Feb 12, 2025

You need to do both as it now includes unrelated changes. git rebase aces/main and then git push --force should work without closing and resending.

Hmm I had tried that but got a number of conflicts

@ridz1208 ridz1208 changed the base branch from main to 26.0-release February 13, 2025 17:40
@KLaFleur KLaFleur force-pushed the double_escaping_for_26 branch from d8c3c3f to e23ca66 Compare February 13, 2025 18:25
@KLaFleur KLaFleur changed the base branch from 26.0-release to main February 13, 2025 18:25
@driusan driusan closed this Feb 14, 2025
@driusan driusan reopened this Feb 14, 2025
@KLaFleur KLaFleur force-pushed the double_escaping_for_26 branch from e23ca66 to 208d05f Compare February 14, 2025 16:04
ridz1208
ridz1208 reviewed Feb 14, 2025
View reviewed changes
htdocs/installdb.php Outdated
);
$installer->getConfigContent($_POST),
ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5,
null, false);
Copy link
Collaborator

@ridz1208 ridz1208 Feb 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KLaFleur please breakdown all the functions properly

ridz1208
ridz1208 reviewed Feb 14, 2025
View reviewed changes
php/installer/Installer.class.inc Outdated
},
return htmlspecialchars($val,
ENT_XML1 | ENT_SUBSTITUTE | ENT_HTML5, 'ISO-8859-1',
null, false);
Copy link
Collaborator

@ridz1208 ridz1208 Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KLaFleur too many arguments there

@KLaFleur KLaFleur force-pushed the double_escaping_for_26 branch from 208d05f to 0df0d26 Compare February 14, 2025 16:48
@KLaFleur
modified installer file
63984ca 
changed formatting to keep lines under 85 char + added a few missed instances of htmlspecialchars()
@KLaFleur KLaFleur force-pushed the double_escaping_for_26 branch from 0df0d26 to 63984ca Compare February 14, 2025 17:45
@driusan
Copy link
Collaborator

driusan commented Feb 17, 2025

@KLaFleur Please fix the tests on this. It looks like it's failing on PHPCS and most of them can be autofixed with npm run lintfix:php

@driusan driusan added Release: Add to release notes PR whose changes should be highlighted in the release notes State: Needs work PR awaiting additional work by the author to proceed Critical to release PR or issue is key for the release to which it has been assigned Category: Security PR or issue that aims to improve security Priority: High PR or issue should be prioritised over others for review and testing Language: PHP PR or issue that update PHP code Difficulty: Simple PR or issue that should be easy to implement, review, or test labels Feb 17, 2025
@driusan driusan added this to the 27.0.0 milestone Feb 17, 2025
@ridz1208 ridz1208 changed the title double_escaping HTMLSpecialChars() Double escaping default to false Feb 18, 2025
@driusan
Copy link
Collaborator

driusan commented Feb 18, 2025

This appears to be failing because of a bug in phan. The parameter it's complaining about is nullable according to the PHP documentation: https://www.php.net/manual/en/function.htmlspecialchars.php

I think for now, you should explicitly set it to 'UTF-8' to get around the errors. It's technically not the same meaning, but our encodings should pretty much always be utf8.

@ridz1208 @KLaFleur
phpcs
0f2de3b 
adding utf-8 as the encoding parameter instead of NULL
@KLaFleur KLaFleur force-pushed the double_escaping_for_26 branch from 40e765d to 0f2de3b Compare February 18, 2025 17:03
@driusan driusan merged commit 31800de into aces:main Feb 18, 2025
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ridz1208 ridz1208 ridz1208 left review comments

@driusan driusan Awaiting requested review from driusan

Assignees

@ridz1208 ridz1208

@KLaFleur KLaFleur

Labels

Category: Security PR or issue that aims to improve security Critical to release PR or issue is key for the release to which it has been assigned Difficulty: Simple PR or issue that should be easy to implement, review, or test Language: PHP PR or issue that update PHP code Priority: High PR or issue should be prioritised over others for review and testing Release: Add to release notes PR whose changes should be highlighted in the release notes State: Needs work PR awaiting additional work by the author to proceed

Projects

None yet

Milestone

27.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@KLaFleur @driusan @ridz1208