Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug fix: Fix triple HTML encoding #17247

Merged
merged 2 commits into from Dec 21, 2021

Conversation

kamil-tekiela
Copy link
Contributor

Some values were double or even triple encoded in the HTML/JS. This resulted in garbled up text. This PR removed HTML escaping from places where it is not needed.

Cherry-picked from #17246 onto QA_5_1 branch

Some values were encoded into HTML entities thrice. This commit removes
unnecessary HTML escaping.

Signed-off-by: Kamil Tekiela <tekiela246@gmail.com>
The values of < > ' " & are double escaped in the confirmation dialog.
Since the values are inserted via twig into HTML, there is no need to
escape them twice.

Signed-off-by: Kamil Tekiela <tekiela246@gmail.com>
@codecov
Copy link

codecov bot commented Dec 14, 2021

Codecov Report

Merging #17247 (903afe8) into QA_5_1 (d2cd67f) will decrease coverage by 0.00%.
The diff coverage is 66.66%.

Impacted file tree graph

@@             Coverage Diff              @@
##             QA_5_1   #17247      +/-   ##
============================================
- Coverage     57.78%   57.78%   -0.01%     
+ Complexity    15324    15323       -1     
============================================
  Files           471      471              
  Lines         62127    62124       -3     
============================================
- Hits          35899    35896       -3     
  Misses        26228    26228              
Flag Coverage Δ
arch-7-amd64 61.13% <66.66%> (-0.01%) ⬇️
arch-7-arm32v6 61.02% <66.66%> (-0.01%) ⬇️
arch-7-arm32v7 61.02% <66.66%> (-0.01%) ⬇️
arch-7-arm64v8 61.13% <66.66%> (-0.01%) ⬇️
arch-7-i386 61.02% <66.66%> (-0.01%) ⬇️
arch-7-ppc64le 61.13% <66.66%> (-0.01%) ⬇️
arch-7-s390x 60.99% <66.66%> (-0.01%) ⬇️
dbase-extension 57.47% <66.66%> (-0.01%) ⬇️
recode-extension 57.42% <66.66%> (-0.01%) ⬇️
unit-7.1-ubuntu-latest 57.42% <66.66%> (-0.01%) ⬇️
unit-7.2-ubuntu-latest 57.60% <66.66%> (-0.01%) ⬇️
unit-7.3-ubuntu-latest 61.15% <66.66%> (-0.01%) ⬇️
unit-7.4-ubuntu-latest 61.16% <66.66%> (-0.01%) ⬇️
unit-8.0-ubuntu-latest 61.21% <66.66%> (-0.01%) ⬇️
unit-8.1-ubuntu-latest 61.09% <66.66%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
libraries/classes/Display/Results.php 48.74% <0.00%> (ø)
...s/classes/Controllers/Table/RelationController.php 23.03% <100.00%> (-1.28%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0b9b2c0...903afe8. Read the comment docs.

@williamdes williamdes added this to the 5.1.2 milestone Dec 14, 2021
Comment on lines -325 to +328
$columns = [];
foreach ($columnList as $column) {
$columns[] = htmlspecialchars($column);
}
if ($GLOBALS['cfg']['NaturalOrder']) {
usort($columns, 'strnatcasecmp');
usort($columnList, 'strnatcasecmp');
}
$this->response->addJSON('columns', $columns);

$this->response->addJSON('columns', $columnList);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can confirm this part of the fix in the column select to add a foreign key when the column has a strange name

Copy link
Member

@williamdes williamdes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you provide ways to test all the parts of this fix please ?
I could confirm one of the changes

@kamil-tekiela
Copy link
Contributor Author

  1. Create a table with varchar(255) as a primary key. Enter a record with primary key '"<>&a. Press delete button to delete that row. The SQL is garbled.
  2. Create a table called '"<>&a with a column called '"<>&a. Create index on the column with the default name. Try to drop that index. The SQL is garbled.
  3. Create a table '"<>&a with a column '"<>&a and foo. Create relationship called '"<>&a on the table '"<>&a on the column foo pointing to column '"<>&a. Try to force the value dropdown via AJAX. The column name is garbled and cannot be selected.

There is also 1 more error when you try to delete a column called '"<>&a but I haven't fixed that one.

I hope these steps can be reproduced, let me know if not and I will prepare more detailed steps.

@MauricioFauth MauricioFauth merged commit d93b60e into phpmyadmin:QA_5_1 Dec 21, 2021
@MauricioFauth MauricioFauth self-assigned this Dec 21, 2021
MauricioFauth added a commit that referenced this pull request Dec 21, 2021
Related to #17247.

Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
MauricioFauth added a commit that referenced this pull request Dec 21, 2021
Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
@kamil-tekiela kamil-tekiela deleted the HTML-entities-5_1 branch June 2, 2022 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants