-
-
Notifications
You must be signed in to change notification settings - Fork 528
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
An Open angle bracket < in custom field within Manager Form crashes the save process #13711
Comments
My current solution is JS document.getElementById("myEl").value = content.replace(/(?:<)/g, "<++;");
//snuff out all opening angle brackets with custom entity PHP $content = str_replace("<++;", "<", $content);
//remove your custom entity before saving resource |
After looking into this in modxbughunt#3, the issue is due to Ext.data.Connection truncating the json which arrives intact from modconnectorresponseclass->outputContent(). So it is already invalid before it arrives into utilities.js -> Ext.override(Ext.form.Action.Submit.... handleResponse() where the error is raised. The ExtJS docs for Ext.data.Connection state that:
So the content from custom fields must be processed before it gets sent to the server. The error is not encountered if a closing bracket is present. |
Nice detective work. Is there any way to solve this issue, or is the issue in Extjs itself? |
It's in Ext. It creates a iframe and drops the response text into the body. I am thinking to override the class to add a <textarea> into the iframe. The response would be put into that and not be parsed as html. |
Sounds tricky. Perhaps this is impossible to deal with properly until we can get rid of extjs or bump its version? |
It shouldn't be that complicated although it will need some checking for side-effects. |
@Finetuned What do you mean? If the problem is caused by Extjs and only Extjs, there is no way for us to fix it currently. |
As there's no more updates, I think we can make a bugfix in the depths of extjs if needed. Or maybe there's a way to override it in a different way. Perhaps someone already has a fix for it somewhere on the web? |
I wouldn't change the library itself as Ext.override() is available for this. |
Ok, so I've taken a different approach to this: When the JSON response comes back and is truncated by the browser, we catch this in ExtJS and replace the truncated responseText with an empty fallback response: Truncated json: Fallback Response:
This is all written and working but I'd like some input on the UX and error handling It would be possible to repair the damaged object thus providing a partial response but I wonder if this is worth the effort/overhead? The alternatives are to
Given that this process is not performed using a real xmlhttprequest, the faked response wrapper never returns a failure. We don't know at this point whether the save was performed successfully so I suggest we use the error log and let the response pass through to any listeners that can deal with it as they wish. As far as the UX goes, I initially thought to use the following lexicon entries but they don't really completely explain the problem (due to the fake ajax explained above) and the successful save of data on the server side: MODx.lang.warning > 'Warning!' |
I think it is possible to add some code in |
If I understand correctly @Jako - the problem is in the response handling, not sending the request. Encoding all entities is also going to break saving basic things like chunks/templates which should not be encoded. |
Sorry, I missed the two If I read the modConnectorResponse code right, the work (htmlspecialchars on the custom fields) has to be done in the processor called with runProcessor. Since @donShakespeare wants to save the the field in a modResource, the custom field could be processed with htmlspecialchars in |
@Jako Mark is right, the submitted form is processed fine by the server and a correct response is returned. It's the way Ext.data.Connection implements this that is causing the issue: in Don's case, the unmatched < is truncated by the browser when it renders the response. Their documentation details this in the introduction to that class. |
I've pushed the changes on my [branch] (2.x...Finetuned:bug-13711). Hopefully it will make things easier to discuss |
So the question is: What is different between the default resource fields (that could contain this < sign to) and the custom field. The answer is quite simple: The resource fields are not returned and the custom field is returned. So the custom field has to be stripped away (unset) in |
@Jako, the difference, for me at least, is that the standard resource fields are known in advance (hardcoded into update.class.php in the cleanup function ). This problem extends beyond Don's specific use case: an unknown number of custom fields with unknown names are possible. This is why I'm suggesting passing through a warning in place of a truncated response. The warning makes escaping html entities the CMP developer's responsibility. They know best what their specific CMP is trying to achieve and can react according to the context of their CMP. |
@gadgetto can you remember/share some of our experiments on that day? I failed to logged them here. Might help in the thorough solving of this issue. This |
@donShakespeare please read this: https://forums.modx.com/thread/103273/solved-extjs-problem-while-saving-content-of-textarea-contains-html-tags Should explain what I did! |
I may have found a simpler fix than #13810 for this. The problem remains that ExtJS uses an iframe to submit requests. The response in that iframe is processed by the browser, causing HTML to break the (otherwise valid) JSON response. JSON can contain HTML, even invalid HTML, just fine, it's only ExtJS' iframe-based request handling that breaks it. That code looked remarkably close to what @Finetuned tried to do in #13810, by wrapping the result in a textarea, which unfortunately would break a lot of things. However, setting a Content-Type header would not be quite as invasive to extras/non-mgr usage of connectors, as only really silly ways of submitting a request (like an iframe) would get a slightly different response. So, back-porting that ext4 change into our ancient ext3, and updating modConnectorResponse to issue a text/json (or application/json) content type header, solves the problem! I reformatted ext-all.js as a quick test and added
before the handling for In modConnectorResponse there's some logic that only sets an application/json header when the request came from an xmlhttprequest. I just added And voila, my test case for this bug was fixed! :D I think this would be a safer fix than #13810 as it doesn't change the actual content, just a header, but still fixes it. Would need some cleaning up and more testing, but this may be a way for us to get proper json support... |
An open angle bracket
<
in custom field (from MODx.onDocFormRender or however) within Manager Form crashes the save process, but the content is still saved on the server without errorMODX 2.6.0 and below
To Reproduce
https://docs.modx.com/revolution/2.x/case-studies-and-tutorials/adding-custom-fields-to-manager-forms
Quick Reproduce
The text was updated successfully, but these errors were encountered: