flangefrog Posted March 11, 2014 Report Posted March 11, 2014 Just a small issue with the feed reader plugin here. I'm sure you're aware it, but the HTML special characters are getting encoded twice, making an ampersand display as & (& in the source). I would look into this myself but it will probably be a lot quicker for the original developer, and I'm currently busy with work and creating my Web Drive module.
flangefrog Posted April 3, 2014 Author Report Posted April 3, 2014 Ok, I've found the problem: /plugins/feed_reader/views/default/admin_main.pdt Line 19, Column 145 Replace <?php $this->Html->_($articles[$i]->data['title']);?> With <?php echo $this->Html->ifSet($articles[$i]->data['title']);?> Any chance you could add this fix (or an equivalent one) to the core?
Paul Posted April 3, 2014 Report Posted April 3, 2014 CORE-1123, thanks for the report! Michael and flangefrog 2
flangefrog Posted April 7, 2014 Author Report Posted April 7, 2014 In addition to the above, it looks like the same thing needs to be done for the URLs. URLs like index.php?foo&bar are encoded like index.php?foo&bar. /plugins/feed_reader/views/default/admin_main.pdt Line 19 Column 75 Replace <?php $this->Html->_($articles[$i]->data['link']);?> With <?php echo $this->Html->ifSet($articles[$i]->data['link']);?>
Cody Posted April 27, 2014 Report Posted April 27, 2014 "index.php?foo&bar" is the correct way to encode URIs. Are you saying the URI is doubly encoded (as in "index.php?foo&bar")? That would be a problem. Your fix, from what I see, would open the system up to XSS.
flangefrog Posted April 28, 2014 Author Report Posted April 28, 2014 Cody, I don't think that's correct. For a URL index.php?foo=bar&baz=quz foo = bar baz = qux For a URL index.php?foo=bar&baz=qux foo = bar amp;baz=quz The ampersand should only be encoded when it's part of a param i.e. when you're passing a URL as a param. Refer to http://tools.ietf.org/html/rfc3986#section-2 I think instead of using HTML entity encoding, you should be using something like rawurlencode() which encodes the URL according to the RFC mentioned above. Simplepie may do this itself, it seems to at least escape the content (which is why Blesta was double encoding it)
Cody Posted April 28, 2014 Report Posted April 28, 2014 Encoding is different than escaping. Don't have time to pull up the html spec, but this might help clarify: http://stackoverflow.com/questions/3705591/do-i-encode-ampersands-in-a-href.
flangefrog Posted April 28, 2014 Author Report Posted April 28, 2014 Thanks for the link. I hadn't realised that the dev tools were decoding the html. However, looking at the raw ajax response, it returns this: index.php?_m=news&_a=viewnews&newsid=1339
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now