New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape urls to avoid xss #11092

Merged
merged 1 commit into from Aug 29, 2017

Conversation

Projects
None yet
4 participants
@ceeram
Member

ceeram commented Aug 24, 2017

Escape urls to avoid xss

@ceeram ceeram self-assigned this Aug 24, 2017

@markstory markstory added this to the 3.5.1 milestone Aug 24, 2017

@codecov-io

This comment has been minimized.

Show comment
Hide comment
@codecov-io

codecov-io Aug 24, 2017

Codecov Report

Merging #11092 into master will increase coverage by 0.06%.
The diff coverage is 100%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #11092      +/-   ##
============================================
+ Coverage     94.86%   94.92%   +0.06%     
- Complexity    12838    13060     +222     
============================================
  Files           437      437              
  Lines         32733    33062     +329     
============================================
+ Hits          31051    31383     +332     
+ Misses         1682     1679       -3
Impacted Files Coverage Δ Complexity Δ
src/View/Helper/HtmlHelper.php 98.7% <ø> (ø) 131 <0> (ø) ⬇️
src/View/Helper/UrlHelper.php 98.82% <100%> (ø) 36 <0> (ø) ⬇️
src/View/StringTemplate.php 98.95% <100%> (+0.02%) 39 <0> (+1) ⬆️
src/Http/ActionDispatcher.php 100% <0%> (ø) 21% <0%> (+2%) ⬆️
src/Controller/Controller.php 99.53% <0%> (+0.07%) 102% <0%> (+25%) ⬆️
src/Http/ServerRequest.php 99.65% <0%> (+0.16%) 432% <0%> (+194%) ⬆️
src/Cache/CacheRegistry.php 100% <0%> (+4%) 11% <0%> (ø) ⬇️
src/Cache/CacheEngine.php 93.61% <0%> (+4.25%) 19% <0%> (ø) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fcb8736...0c88f63. Read the comment docs.

codecov-io commented Aug 24, 2017

Codecov Report

Merging #11092 into master will increase coverage by 0.06%.
The diff coverage is 100%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #11092      +/-   ##
============================================
+ Coverage     94.86%   94.92%   +0.06%     
- Complexity    12838    13060     +222     
============================================
  Files           437      437              
  Lines         32733    33062     +329     
============================================
+ Hits          31051    31383     +332     
+ Misses         1682     1679       -3
Impacted Files Coverage Δ Complexity Δ
src/View/Helper/HtmlHelper.php 98.7% <ø> (ø) 131 <0> (ø) ⬇️
src/View/Helper/UrlHelper.php 98.82% <100%> (ø) 36 <0> (ø) ⬇️
src/View/StringTemplate.php 98.95% <100%> (+0.02%) 39 <0> (+1) ⬆️
src/Http/ActionDispatcher.php 100% <0%> (ø) 21% <0%> (+2%) ⬆️
src/Controller/Controller.php 99.53% <0%> (+0.07%) 102% <0%> (+25%) ⬆️
src/Http/ServerRequest.php 99.65% <0%> (+0.16%) 432% <0%> (+194%) ⬆️
src/Cache/CacheRegistry.php 100% <0%> (+4%) 11% <0%> (ø) ⬇️
src/Cache/CacheEngine.php 93.61% <0%> (+4.25%) 19% <0%> (ø) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fcb8736...0c88f63. Read the comment docs.

@ceeram

This comment has been minimized.

Show comment
Hide comment
@ceeram

ceeram Aug 24, 2017

Member

fixed cs issue and replaced preg_match_all with preg_match

Member

ceeram commented Aug 24, 2017

fixed cs issue and replaced preg_match_all with preg_match

@markstory markstory merged commit da84f00 into master Aug 29, 2017

6 checks passed

codecov/patch 100% of diff hit (target 94.86%)
Details
codecov/project 94.92% (+0.06%) compared to fcb8736
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
stickler-ci No lint errors found.

@markstory markstory deleted the html-helper-escape-urls branch Aug 29, 2017

@dereuromark

This comment has been minimized.

Show comment
Hide comment
@dereuromark

dereuromark Sep 1, 2017

Member

This causes a major regression in all HtmlHelper generated img URLs that contain query strings:
https://travis-ci.org/dereuromark/cakephp-geo/builds/270748293?utm_source=github_status&utm_medium=notification
Those URLs have now double encoded query string params:

<img src=".../staticmap?size=300x300&amp;amp;format=png&amp;amp;mobile=false&amp;amp;zoom=13&amp;amp;maptype=roadmap" alt="Karte"/>

We need a 3.5.2 to fix this before too many people update and have their apps completely broken.
Maybe also issue a warning in the 3.5.1 release notes not to upgrade to this and skip to the next patch release instead.

Member

dereuromark commented Sep 1, 2017

This causes a major regression in all HtmlHelper generated img URLs that contain query strings:
https://travis-ci.org/dereuromark/cakephp-geo/builds/270748293?utm_source=github_status&utm_medium=notification
Those URLs have now double encoded query string params:

<img src=".../staticmap?size=300x300&amp;amp;format=png&amp;amp;mobile=false&amp;amp;zoom=13&amp;amp;maptype=roadmap" alt="Karte"/>

We need a 3.5.2 to fix this before too many people update and have their apps completely broken.
Maybe also issue a warning in the 3.5.1 release notes not to upgrade to this and skip to the next patch release instead.

@markstory

This comment has been minimized.

Show comment
Hide comment
@markstory

markstory Sep 1, 2017

Member

I think it is relevant to mention that your plugin was HTML encoding URLs before passing them to assetUrl methods in UrlHelper, and that is the source of double encoding.

Member

markstory commented Sep 1, 2017

I think it is relevant to mention that your plugin was HTML encoding URLs before passing them to assetUrl methods in UrlHelper, and that is the source of double encoding.

@dereuromark

This comment has been minimized.

Show comment
Hide comment
@dereuromark

dereuromark Sep 1, 2017

Member

Indeed. It was properly handling it on its own. I guess people doing similar handling will have to fix their code now to adhere to the new security standard of this patch release.

Member

dereuromark commented Sep 1, 2017

Indeed. It was properly handling it on its own. I guess people doing similar handling will have to fix their code now to adhere to the new security standard of this patch release.

markstory added a commit that referenced this pull request Nov 15, 2017

Add missing url encoding to protocol relative URLs
Protocol relative URLs were missed from the changes in #11092 as they
are handled by a different code branch.

markstory added a commit that referenced this pull request Nov 15, 2017

Add missing url encoding to protocol relative URLs
Protocol relative URLs were missed from the changes in #11092 as they
are handled by a different code branch.

@Agacor Agacor referenced this pull request Apr 12, 2018

Closed

UrlHelper assetUrl() error filtering data:image/*;base64 #11922

1 of 3 tasks complete

@cakephp cakephp deleted a comment from lorenzo Apr 12, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment