[BUGFIX] Do not attempt to escape non-string or -compatible values #285
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Avoids calling htmlspecialchars() on incompatible values. Changes compiling of the escaping node to generate a small closure which checks for string or string-compatible value before escaping.
sascha-egerer
suggested changes
May 18, 2017
| $configuration['execution'] = sprintf('htmlspecialchars(%s, ENT_QUOTES)', $configuration['execution']); | ||
| $configuration['execution'] = sprintf( | ||
| 'call_user_func_array( function ($var) { ' . | ||
| 'return (is_string($var) || (is_object($var) && method_exists($var, \'__toString\')) ' . |
There was a problem hiding this comment.
The is_string() should be is_scalar()
There was a problem hiding this comment.
I'm not sure I agree - could you illustrate a case where a non-string scalar value would potentially result in unsafe output if (implicitly) cast to a string w/o doing htmlspecialchars()?
There was a problem hiding this comment.
Oh ah yeah... well... thats true. No potential security issue. And we'll get always a string as result which may be antoher problem. So yes - ignore my commts
| @@ -41,7 +41,11 @@ public function __construct(NodeInterface $node) | |||
| */ | |||
| public function evaluate(RenderingContextInterface $renderingContext) | |||
| { | |||
| return htmlspecialchars($this->node->evaluate($renderingContext), ENT_QUOTES); | |||
| $evaluated = $this->node->evaluate($renderingContext); | |||
| if (is_string($evaluated) || (is_object($evaluated) && method_exists($evaluated, '__toString'))) { | |||
There was a problem hiding this comment.
The is_string() should be is_scalar()
| @@ -145,7 +145,7 @@ public function getConvertTestValues() | |||
| ], | |||
| [ | |||
| new EscapingNode(new TextNode('foo')), | |||
| 'htmlspecialchars(\'foo\', ENT_QUOTES)' | |||
| 'call_user_func_array( function ($var) { return (is_string($var) || (is_object($var) && method_exists($var, \'__toString\')) ? htmlspecialchars((string) $var, ENT_QUOTES) : $var); }, [\'foo\'])' | |||
There was a problem hiding this comment.
The is_string() should be is_scalar()
sascha-egerer
approved these changes
May 18, 2017
sascha-egerer
approved these changes
Jul 6, 2017
sascha-egerer
approved these changes
Jul 27, 2017
mneuhaus
approved these changes
Jul 28, 2017
bmack
pushed a commit
to bmack/Fluid
that referenced
this pull request
Aug 25, 2017
…YPO3#285) Avoids calling htmlspecialchars() on incompatible values. Changes compiling of the escaping node to generate a small closure which checks for string or string-compatible value before escaping.
opi99
pushed a commit
to opi99/Fluid
that referenced
this pull request
Jan 8, 2018
…YPO3#285) Avoids calling htmlspecialchars() on incompatible values. Changes compiling of the escaping node to generate a small closure which checks for string or string-compatible value before escaping.
lolli42
pushed a commit
that referenced
this pull request
Feb 5, 2018
* [TASK] Use the Trusty build environment on Travis (#314) * [TASK] Remove test coverage of HHVM from travis.yml (#323) Resolves: #322 * [BUGFIX] Fix getLayoutPathAndFilename behavior in TemplatePaths (#309) Class TemplatePaths will now correctly return the class variable layoutPathAndFilename if it was set before. Close: #309 * [BUGFIX] Use sanizted identifier in TemplateCompiler::has() (#321) Instances are stored with the sanitzied identifier into a runtime cache. The `TemplateCompiler::has()` must also use the sanitzed version of the identifier to check if the instance exists in the runtime cache. Resolves #320 * require and include are statements (#316) * [BUGFIX] Prevent re-loading cached classes that already exist (#315) This patch prevents a problem where it is made up to the individual cache implementation whether or not to re-load a class file when a class is already defined. Instead, making the compiler only fetch the class from cache if it is not already loaded (by checking class_exists without allowing autoloading!) prevents re-loading classes with “class already declared” errors to follow. * [TASK] Throw ViewHelper exception in f:count on uncountable subject (#296) * [TASK] Use (float) and (int) (#313) * [BUGFIX] Do not attempt to escape non-string or -compatible values (#285) Avoids calling htmlspecialchars() on incompatible values. Changes compiling of the escaping node to generate a small closure which checks for string or string-compatible value before escaping. * [BUGFIX] Handle adding namespaces to ignored namespaces (#283) Corrects the following two misbehaviors: 1. A second call to add a namespace with a `null` value causes an error; expected: silently keep ignoring namespace. 2. A second call to add a namespace that was previously ignored causes an error; expected: converts ignored namespace to active. Fixes: #282 * [TASK] Fix typo in unknown namespace exception message (#326) * [BUGFIX] Make casting of numbers the same in arguments and arrays (#333) Problem briefly described: numbers passed in tag attributes vs. numbers passed in inline syntax (which internally uses the array syntax parsing) handles numeric values in two different ways: * In tags, a NumericNode is created if is_numeric is true * In arrays, numbers are cast with (float) and matched by regexp NumericNode also casts the value but does so by using an add zero trick which makes PHP do the casting based on string value, and the input is always a string in the parser. This means that the two different ways of passing a number will produce two different types of variables given natural numbers as input. Passing floats still causes the same type. The solution is to apply the same method of casting in both cases. * [BUGFIX] Make ViewHelperResolver internal cache non-static (#328) Using a static class property for the cache could have bad side effects for setups which have multiple contexts for Fluid and may change the namespaces between contexts. Converting the cache to a non-static property cleans it properly when a new ViewHelperResolver is created. * [BUGFIX] Remove incorrect throws annotation (#355) Exception class doesn't exist, * [TASK] Add PHP 7.2 to travis (#363)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Avoids calling htmlspecialchars() on incompatible values. Changes compiling of the escaping node to generate a small closure which checks for string or string-compatible value before escaping.