-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rel 702 fixups #7485
Rel 702 fixups #7485
Conversation
@@ -109,6 +109,7 @@ public function doRender($template_id, $template_content = null, $json_data = nu | |||
// purify html (and remove js) | |||
$isLegacy = stripos($template, 'portal_version') === false; | |||
$config = HTMLPurifier_Config::createDefault(); | |||
$config->set('Cache.SerializerPath', $GLOBALS['temporary_files_dir']); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need a subfolder in the temp directory for this? Probably overly paranoid but just wondering if there's a risk of other files in the apache php processor space being overwritten (session files, upload files). It'd be a supply chain attack on htmlpurifier, so probably too paranoid here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wondered about that but we need a writable folder somewhere
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opened #7520 to address this but maybe you meant a separate dir in /tmp
not in sites/default/documents/temp
then the system purges it instead of having it hang around in documents
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was meaning a separate dir in /tmp. Depends on how much we care about shared hosts. Share hosts sometimes lock down the /tmp directory and writing to the configured OpenEMR temp directory would probably be the least surprising for someone whose configured that global option. Not sure if HTMLPurifier cleans up its own cache files though.
…#7521) * fix: create custom temp directory for html purify serializer * make subdir in temporary_files_dir * use constant instead of slash * log mkdir error
Fixes #
Short description of what this resolves:
Changes proposed in this pull request: