Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unescaped content sent on votes, leading to invalid forms #341

Closed
mtancoigne opened this issue Jun 5, 2018 · 4 comments
Closed

Unescaped content sent on votes, leading to invalid forms #341

mtancoigne opened this issue Jun 5, 2018 · 4 comments
Assignees
@dartcafe
Labels
3. to review bug
Milestone
0.9.1

Comments

@mtancoigne
Copy link

mtancoigne commented Jun 5, 2018
edited

Steps to reproduce

  1. Create a new text based poll
  2. Add an entry with double quotes (i.e: Oui et j'ai un "petit" niveau (appels api, état global avec VueX, évènements)
  3. Add some entries and save
  4. Visit the poll and change the state of the entry with double quotes.
  5. Save your answers

Expected behaviour

The entry with changed state should have its new state saved

Actual behaviour

Status of the "double quoted string" did not change

Server configuration

Operating system:
Ubuntu 16.04
Web server:
Apache 2
Database:
Mysql
PHP version:
7
Nextcloud version: (see Nextcloud admin page)
13.0.2
Where did you install Nextcloud from:
I don't remember
Signing status:

No errors have been found.

Additional informations:

Going to "edit" the poll shows an empty list of options and the JS console states:

SyntaxError: JSON.parse: expected ',' or ']' after array element at line 1 column 9 of the JSON data

After manually removing the quotes with a mysql client, everything went fine.

The issue comes from the fact that when a poll is submitted, the raw values are sent to the server, unescaped, and when the server creates JSON for the edit form, the same thing happens...:

Data sent when voting for two options; foo "foo" and bar bar

changed | true
-- | --
dates | ["foo+","bar bar"]  // good strings would have been ["foo+\"foo\"", "bar bar"]
pollId | 4
receiveNotifications | false
types | [1,1]
userId | admin

Possible things to do to correct this:

  • Escape the strings before they are sent to server (and from server to edit form)
  • better: send ids to server instead of strings...
@dartcafe dartcafe added the bug label Jun 10, 2018
@dartcafe dartcafe modified the milestones: 0.9.0, 0.8.2 Jun 10, 2018
@dartcafe
Copy link
Collaborator

Error in votes.js. Will inspect. Thanks for reporting

@dartcafe dartcafe self-assigned this Jun 10, 2018
@joergmschulz
Copy link
Contributor

joergmschulz commented Jul 18, 2018
edited

Yes sir, something has still to be done in beta2 for 9.0.
Weird things might happen when you include html tags like:

grafik

luckily, a tag has been thrown away just like HREF tags.
grafik

https://test.elternserver.de/index.php/apps/polls/poll/7ceCzpgSrEuSD59e

@joergmschulz
Copy link
Contributor

browsers behave differently - while Safari and Firefox don't care about the "", Chrome does:
grafik

@dartcafe dartcafe modified the milestones: 0.8.2, 0.9.0 Jul 19, 2018
@dartcafe dartcafe modified the milestones: 0.9.0, 0.9.1 Sep 15, 2018
dartcafe added a commit that referenced this issue Sep 15, 2018
@dartcafe
progress
a30cc46 
#341
Update minimum version to NC14 in info.xml
@dartcafe
Copy link
Collaborator

Fixed in 0.9-beta5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dartcafe dartcafe

Labels
3. to review bug
Projects
None yet
Milestone
0.9.1
Development

No branches or pull requests
3 participants
@mtancoigne @joergmschulz @dartcafe