Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Toast and escape characters in utf8 #1639

Closed
2 tasks done
lekoala opened this issue Dec 21, 2023 · 4 comments
Closed
2 tasks done

Toast and escape characters in utf8 #1639

lekoala opened this issue Dec 21, 2023 · 4 comments
Assignees
@GuySartorelli
Labels
affects/v5 impact/low type/bug

Comments

@lekoala
Copy link
Contributor

lekoala commented Dec 21, 2023
edited by GuySartorelli
Loading

Module version(s) affected

2.1.5

Description

This is related to silverstripe/silverstripe-framework#11089

Currently, toast messages are escaped using Convert::raw2xml. This means that characters like ' are escaped to their utf8 equivalent (eg: X-Status: Saved Viewing "test event's ...)
But the js itself doesn't do anything to display this properly

See here the status message handler

silverstripe-admin/client/src/legacy/LeftAndMain.js

Lines 1511 to 1514 in ef1385a

var statusMessage = function(text, type) {
text = jQuery('<div/>').text(text).html(); // Escape HTML entities in text
jQuery.noticeAdd({text: text, type: type, stayTime: 5000, inEffect: {left: '0', opacity: 'show'}});
};

On top of that, the method used to escape the characters (that should already be safe, but still) is not optimal (see https://stackoverflow.com/questions/1147359/how-to-decode-html-entities-using-jquery/) since adding this in a div could still execute malicious code. Ideally, that should be a standard way to escape strings across the framework without having custom bits of code like this.

How to reproduce

  • Go to model admin to a record with a ' in the name
  • Click save
  • Discover the utf8 encoded ' that is not displayed properly in the toast message
image

Possible Solution

No response

Additional Context

No response

Validations

  • Check that there isn't already an issue that reports the same bug
  • Double check that your reproduction steps work in a fresh installation of silverstripe/installer (with any code examples you've provided)

PRs
@lekoala
Copy link
Contributor Author

lekoala commented Dec 21, 2023

WIP

Using this works for the single quote

function decodeEntities(encodedString) {
  var textArea = document.createElement('textarea');
  textArea.innerHTML = encodedString;
  return textArea.value;
}

but doesn't help with ö so there is more to it that it seems

lekoala added a commit to lekoala/silverstripe-admin that referenced this issue Dec 21, 2023
@lekoala
decode entities in toast message
e1ea5a5 
Fixes silverstripe#1639

Side bonus : this is much safer than using jquery
@lekoala lekoala mentioned this issue Dec 21, 2023
Merged
8 tasks
@lekoala
Copy link
Contributor Author

lekoala commented Dec 21, 2023

Two pr to fix this

silverstripe/silverstripe-framework#11105
#1640

This was referenced Jan 15, 2024
Closed
Merged
@GuySartorelli GuySartorelli self-assigned this Jan 15, 2024
@GuySartorelli
Copy link
Member

This is mostly fixed now - but & is still being escaped to &amp;

This was referenced Feb 15, 2024
Closed
Merged
@GuySartorelli
Copy link
Member

All PRs now merged. Anything that hasn't yet been tagged will be automagically tagged by GitHub Actions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GuySartorelli GuySartorelli

Labels
affects/v5 impact/low type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lekoala @GuySartorelli