+
Skip to content

HTMLSpecialChars() Double escaping default to false #9557

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Feb 18, 2025
Merged

HTMLSpecialChars() Double escaping default to false #9557

merged 3 commits into from
Feb 18, 2025

Conversation

KLaFleur
Copy link
Contributor

Brief summary of changes

updated all instances of htmlspecialchars() to turn off double escaping

@KLaFleur KLaFleur requested review from driusan and ridz1208 February 11, 2025 22:18
KLaFleur
KLaFleur commented Feb 12, 2025
View reviewed changes
php/installer/Installer.class.inc
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wasn't totally sure about this one

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better to be more aggressive than less in updating these

@driusan
Copy link
Collaborator

driusan commented Feb 12, 2025

Can you rebase this on main?

@KLaFleur KLaFleur changed the base branch from 26.0-release to main February 12, 2025 16:45
@KLaFleur
Copy link
Contributor Author

Can you rebase this on main?

Is this what you meant? Or a rebase via my VM and resending the code

@driusan
Copy link
Collaborator

driusan commented Feb 12, 2025

You need to do both as it now includes unrelated changes. git rebase aces/main and then git push --force should work without closing and resending.

@KLaFleur
Copy link
Contributor Author

You need to do both as it now includes unrelated changes. git rebase aces/main and then git push --force should work without closing and resending.

Hmm I had tried that but got a number of conflicts

@ridz1208 ridz1208 changed the base branch from main to 26.0-release February 13, 2025 17:40
@KLaFleur KLaFleur force-pushed the double_escaping_for_26 branch from d8c3c3f to e23ca66 Compare February 13, 2025 18:25
@KLaFleur KLaFleur changed the base branch from 26.0-release to main February 13, 2025 18:25
@driusan driusan closed this Feb 14, 2025
@driusan driusan reopened this Feb 14, 2025
@KLaFleur KLaFleur force-pushed the double_escaping_for_26 branch from e23ca66 to 208d05f Compare February 14, 2025 16:04
ridz1208
ridz1208 reviewed Feb 14, 2025
View reviewed changes
htdocs/installdb.php Outdated
);
$installer->getConfigContent($_POST),
ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5,
null, false);
Copy link
Collaborator

@ridz1208 ridz1208 Feb 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KLaFleur please breakdown all the functions properly

ridz1208
ridz1208 reviewed Feb 14, 2025
View reviewed changes
php/installer/Installer.class.inc Outdated
},
return htmlspecialchars($val,
ENT_XML1 | ENT_SUBSTITUTE | ENT_HTML5, 'ISO-8859-1',
null, false);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KLaFleur too many arguments there

@KLaFleur KLaFleur force-pushed the double_escaping_for_26 branch from 208d05f to 0df0d26 Compare February 14, 2025 16:48
@KLaFleur
modified installer file
63984ca 
changed formatting to keep lines under 85 char + added a few missed instances of htmlspecialchars()
@KLaFleur KLaFleur force-pushed the double_escaping_for_26 branch from 0df0d26 to 63984ca Compare February 14, 2025 17:45
@driusan
Copy link
Collaborator

driusan commented Feb 17, 2025

@KLaFleur Please fix the tests on this. It looks like it's failing on PHPCS and most of them can be autofixed with npm run lintfix:php

@driusan driusan added Release: Add to release notes PR whose changes should be highlighted in the release notes State: Needs work PR awaiting additional work by the author to proceed Critical to release PR or issue is key for the release to which it has been assigned Category: Security PR or issue that aims to improve security Priority: High PR or issue should be prioritised over others for review and testing Language: PHP PR or issue that update PHP code Difficulty: Simple PR or issue that should be easy to implement, review, or test labels Feb 17, 2025
@driusan driusan added this to the 27.0.0 milestone Feb 17, 2025
@ridz1208 ridz1208 changed the title double_escaping HTMLSpecialChars() Double escaping default to false Feb 18, 2025
@driusan
Copy link
Collaborator

driusan commented Feb 18, 2025

This appears to be failing because of a bug in phan. The parameter it's complaining about is nullable according to the PHP documentation: https://www.php.net/manual/en/function.htmlspecialchars.php

I think for now, you should explicitly set it to 'UTF-8' to get around the errors. It's technically not the same meaning, but our encodings should pretty much always be utf8.

@ridz1208 @KLaFleur
phpcs
0f2de3b 
adding utf-8 as the encoding parameter instead of NULL
@KLaFleur KLaFleur force-pushed the double_escaping_for_26 branch from 40e765d to 0f2de3b Compare February 18, 2025 17:03
@driusan driusan merged commit 31800de into aces:main Feb 18, 2025
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ridz1208 ridz1208 ridz1208 left review comments

@driusan driusan Awaiting requested review from driusan

Assignees

@ridz1208 ridz1208

@KLaFleur KLaFleur

Labels

Category: Security PR or issue that aims to improve security Critical to release PR or issue is key for the release to which it has been assigned Difficulty: Simple PR or issue that should be easy to implement, review, or test Language: PHP PR or issue that update PHP code Priority: High PR or issue should be prioritised over others for review and testing Release: Add to release notes PR whose changes should be highlighted in the release notes State: Needs work PR awaiting additional work by the author to proceed

Projects

None yet

Milestone

27.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@KLaFleur @driusan @ridz1208
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载