Rel 702 fixups #7485
Rel 702 fixups #7485
Conversation
| @@ -109,6 +109,7 @@ public function doRender($template_id, $template_content = null, $json_data = nu | |||
| // purify html (and remove js) | |||
| $isLegacy = stripos($template, 'portal_version') === false; | |||
| $config = HTMLPurifier_Config::createDefault(); | |||
| $config->set('Cache.SerializerPath', $GLOBALS['temporary_files_dir']); | |||
There was a problem hiding this comment.
Do we need a subfolder in the temp directory for this? Probably overly paranoid but just wondering if there's a risk of other files in the apache php processor space being overwritten (session files, upload files). It'd be a supply chain attack on htmlpurifier, so probably too paranoid here.
There was a problem hiding this comment.
wondered about that but we need a writable folder somewhere
There was a problem hiding this comment.
opened #7520 to address this but maybe you meant a separate dir in /tmp not in sites/default/documents/temp then the system purges it instead of having it hang around in documents
There was a problem hiding this comment.
I was meaning a separate dir in /tmp. Depends on how much we care about shared hosts. Share hosts sometimes lock down the /tmp directory and writing to the configured OpenEMR temp directory would probably be the least surprising for someone whose configured that global option. Not sure if HTMLPurifier cleans up its own cache files though.
…#7521) * fix: create custom temp directory for html purify serializer * make subdir in temporary_files_dir * use constant instead of slash * log mkdir error
Fixes #
Short description of what this resolves:
Changes proposed in this pull request: