Quotation marks get html escape in file comments

[guystreeter]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Open the sidebar for a file, select the comments tab, enter a comment containing a double-quote (") character.
2. Look at the completed comments

Expected behaviour

The entered double-quote character should display when viewing the comment.

Actual behaviour

The double-quote character is replaced by the sequence "
However, the "Activity" tab correctly shows the double-quote character.

Server configuration

Operating system:

Official Docker Apache container.

Web server:

Apache

Database:

mariadb

PHP version:

7.4.21

Nextcloud version: (see Nextcloud admin page)

22.0.0

Updated from an older Nextcloud/ownCloud or fresh install:

Fresh install

Where did you install Nextcloud from:

docker.io/library/nextcloud

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - accessibility: 1.7.0
  - activity: 2.15.0
  - camerarawpreviews: 0.7.11
  - circles: 22.0.0
  - cloud_federation_api: 1.4.0
  - comments: 1.11.0
  - contacts: 4.0.1
  - contactsinteraction: 1.2.0
  - dashboard: 7.1.0
  - dav: 1.18.0
  - facerecognition: 0.8.3
  - federatedfilesharing: 1.11.0
  - federation: 1.11.0
  - files: 1.16.0
  - files_antivirus: 3.2.1
  - files_pdfviewer: 2.3.0
  - files_rightclick: 1.1.0
  - files_sharing: 1.13.2
  - files_trashbin: 1.11.0
  - files_versions: 1.14.0
  - files_videoplayer: 1.11.0
  - firstrunwizard: 2.11.0
  - groupfolders: 9.0.2
  - logreader: 2.7.0
  - lookup_server_connector: 1.9.0
  - maps: 0.1.9
  - nextcloud_announcements: 1.11.0
  - notifications: 2.10.1
  - oauth2: 1.9.0
  - password_policy: 1.12.0
  - photos: 1.4.0
  - previewgenerator: 3.1.1
  - privacy: 1.6.0
  - provisioning_api: 1.11.0
  - recommendations: 1.1.0
  - registration: 1.3.0
  - serverinfo: 1.12.0
  - settings: 1.3.0
  - sharebymail: 1.11.0
  - spreed: 12.0.1
  - support: 1.5.0
  - survey_client: 1.10.0
  - systemtags: 1.11.0
  - terms_of_service: 1.8.0
  - text: 3.3.0
  - theming: 1.12.0
  - twofactor_backupcodes: 1.10.1
  - updatenotification: 1.11.0
  - user_status: 1.1.1
  - viewer: 1.6.0
  - weather_status: 1.1.0
  - welcome: 0.0.5
  - workflowengine: 2.3.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - user_ldap

Nextcloud configuration:

Config report

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "gmsmrz.ooguy.com",
            "predator.local"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "22.0.0.11",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "US",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "app_install_overwrite": [
            "camerarawpreviews",
            "previewgenerator",
            "groupfolders"
        ],
        "maintenance": false
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...

No

Are you using encryption: yes/no

No

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

No

Client configuration

Browser:

Chrome

Operating system:

Fedora 34

Logs

Web server error log

Web server error log

I don't know how to find this. I'll figure it out if you really need it.

Nextcloud log (data/nextcloud.log)

Nextcloud log

This is longer than the scrollback on my terminal. If you really need it, I can try to find a way to get it out of the container and attach it.

Browser log

Browser log

IRefused to execute script from 'https://predator.local:8080/apps/dashboard/' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
:8080/ocs/v2.php/apps/text/workspace?path=%2F:1 Failed to load resource: the server responded with a status of 404 ()
:8080/ocs/v2.php/apps/text/workspace?path=%2Floose:1 Failed to load resource: the server responded with a status of 404 ()
:8080/ocs/v2.php/apps/spreed/api/v1/file/1131:1 Failed to load resource: the server responded with a status of 404 ()
8Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure element '<URL>'. This request was automatically upgraded to HTTPS, For more information see <URL>
:8080/ocs/v2.php/apps/spreed/api/v1/file/1131:1 Failed to load resource: the server responded with a status of 404 ()
:8080/ocs/v2.php/apps/user_status/api/v1/statuses/undefined:1 Failed to load resource: the server responded with a status of 404 ()
:8080/ocs/v2.php/apps/spreed/api/v1/file/1131:1 Failed to load resource: the server responded with a status of 404 ()
994util.js:135 OC.Util.relativeModifiedDate is deprecated and will be removed in Nextcloud 21. See @nextcloud/moment
relativeModifiedDate @ util.js:135
DevTools failed to load source map: Could not load content for https://predator.local:8080/js/activity/activity-sidebar.js.map?v=fe49d7c520f13702fb7b: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load source map: Could not parse content for https://predator.local:8080/custom_apps/facerecognition/js/personssidebar.js.map: Unexpected token < in JSON at position 0
DevTools failed to load source map: Could not parse content for https://predator.local:8080/custom_apps/facerecognition/js/vendor/autocomplete.js.map: Unexpected token < in JSON at position 0
254util.js:135 OC.Util.relativeModifiedDate is deprecated and will be removed in Nextcloud 21. See @nextcloud/moment
relativeModifiedDate @ util.js:135
(anonymous) @ init.js:101
each @ jquery.js:354
each @ jquery.js:189
(anonymous) @ init.js:100

[PVince81]

In oc_comments I can see that the double quotes are preserved, so the problem is happening at retrieval / rendering time.

it seems that it's encoded in the XML, which is correct:

so we need to verify that upon reading the contents is transformed again into the original string

[PVince81]

seems the bug is likely in the parseXML function from the webdav library: https://github.com/nextcloud/server/blob/master/apps/comments/src/services/GetComments.js#L60

will have the investigate upstream

[Pytal]

See https://github.com/perry-mitchell/webdav-client/blob/v4.7.0/source/tools/dav.ts#L80-L81, in the same lib they use https://github.com/perry-mitchell/webdav-client/blob/v4.7.0/source/tools/encode.ts#L12-L14 for decoding

[PVince81]

it looks like the webdav library is using "fast-xml-parser" https://github.com/perry-mitchell/webdav-client/blob/master/source/tools/xml.ts#L1 which itself doesn't support parsing entities: NaturalIntelligence/fast-xml-parser#297

also to note, there can be security concerns when parsing certain special entities but not sure if those concerns apply on the browser side

[PVince81]

See https://github.com/perry-mitchell/webdav-client/blob/v4.7.0/source/tools/dav.ts#L80-L81, in the same lib they use https://github.com/perry-mitchell/webdav-client/blob/v4.7.0/source/tools/encode.ts#L12-L14 for decoding

thanks for pointing out.
I've raised an issue for this. perry-mitchell/webdav-client#276

[PVince81]

until it's solved maybe we can explicitly parse the message value's entities using a similar approach. I'm sure we can make it work.

however, the previous discoveries mean that there are many other places in Nextcloud where the lib is used and where entities are likely not parsed