New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New way for input getString and getHtml #16875
Conversation
Sounds good to me. |
'', | ||
'<>', | ||
'<>', | ||
'From generic cases' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doesn't looks right to me, I think this should be let it as it is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I should add one detail. This test is parsing input as HTML (not STRING). As a result should be valid HTML. It can not stay as <>
. I can only remove it. I probably do that.
'', | ||
'< >', | ||
'< >', | ||
'From generic cases' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The php function strip_tags()
do almost the same, means output < >
. Old version from 3.7.2 leave only >
'<< >>', | ||
'<< >>', | ||
'From generic cases' | ||
), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I may change that to output only >
or >
I am not going to merge this. After some discussion I came to the conclusion that we need to look deeper into this and that we don't have the time to do this before the next release will be out. |
OK. If this can help I can remove all changes from point 2, means all changes for |
@rdeutz If this issue #16842 is going to be introduced in the next 3.7.3 update it should be at least documented as potential issues can arise. For example our extensions need an update because the '>' character is stripped out by getString. |
I wrote small PR to fix only B/C break in input filter. It is not complicated as this one. |
Pull Request for Issue ##16812
I'm not sure if this is correct. This is my initial concept.
Summary of Changes
getString()
method:getString()
- always remove all tagsAbove idea is borrowed from #16842
getHtml()
method:getHtml()
- escapes<
and>
instead remove it:<
is followed by a white space, ex4 < 5
then it will be replaced by4 < 5
>
does not have paired<
, ex:A>B
=>A>B
<>
then that characters will be replace by<>
???<
does not have a pair with>
then it will be replaced by<
, ex:A<B
=>A<B
Notice: A non well formed numeric value encountered in .../libraries/joomla/filter/input.php on line 1202 divHello "Joomla"
tested as:
Testing Instructions
Not yet.
I suspect that above point 2 could not be accepted in full. Any comments?
Expected result
getString()
will always return clean text without any tags. Input whitelist and blacklist will not change that.Actual result
...
Documentation Changes Required
Probably.
Details
'<em'
'STRING'
'em'
''
'<em'
''
'em'
'<em'
'<em'
'HTML'
'em'
'<em'
'<em'
'STRING'
'em'
''
'<em'
''
'em'
'<em'
'<em'
'HTML'
'<em'
'<em'
'em>'
'STRING'
'em>'
'em>'
'em>'
''
'em>'
'em>'
'em>'
'HTML'
'em>'
'em>'
'em>'
'STRING'
'em>'
'em>'
'em>'
''
'em>'
'em>'
'em>'
'HTML'
'em>'
'em>'
'< '
'STRING'
' '
'< '
'< '
''
' '
'< '
'< '
'HTML'
' '
'< '
'< '
'STRING'
' '
'< '
'< '
''
' '
'< '
'< '
'HTML'
'< '
'< '
'<>'
'STRING'
''
''
'<>'
''
''
'<>'
'<>'
'HTML'
''
'<>'
'<>'
'STRING'
''
''
'<>'
''
''
'<>'
'<>'
'HTML'
'<>'
'<>'
(*) Old behaviour means behaviour on J3.7.2 and older.
(**) I'm going to revert behaviour for point 4 on this PR.