Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

html tag show up in info message in empty dashboard #3128

Closed
vincentfretin opened this issue Jun 28, 2020 · 6 comments
Closed

html tag show up in info message in empty dashboard #3128

vincentfretin opened this issue Jun 28, 2020 · 6 comments
Labels
01 type: bug 13 prio: normal 21 status: confirmed

Comments

@vincentfretin
Copy link
Member

BUG

What I did:

In the toolbar, click on your name, then Dashboard

What I expect to happen:

The dashboard is empty, a message tell me that without showing an html tag in the info message.

What actually happened:

There is an html tag in the info message.

Capture d’écran de 2020-06-28 10-17-46

What version of Plone/ Addons I am using:

Plone 5.2.2rc1
@vincentfretin
Copy link
Member Author

The python code is just using the api

message = _(
                  u"info_empty_dashboard",
                  default=u"Your dashboard is currently empty. Click the"
                  " <em>edit</em> tab to assign some personal"
                  " portlets.",
              )
IStatusMessage(self.request).add(message)

in plone.app.layout/plone/app/layout/dashboard/dashboard.py

The issue is where the message is rendered. How those info messages are rendered in Plone 5?
If it's a page template, there is probably a structure missing.
Note there is second issue in #3126 where the message type Error is not translated, so the two issues are probably in the same place.

@vincentfretin
Copy link
Member Author

Actually it's in plone.app.layout/plone/app/layout/viewlets/globalstatusmessage.pt
If I replace
tal:replace="message/message | nothing"
by
tal:replace="structure message/message | nothing"

This fixes the rendering. But do we want this fix? Is there any security implication of doing that?

@vincentfretin
Copy link
Member Author

If we have the issue just for this message, we can change it to not include html and that's it.

@mauritsvanrees
Copy link
Sponsor Member

I wondered if the structure keyword was previously here, but no, the first commit already does not have it:
plone/plone.app.layout@fdd8c6f

It could be useful to have this, so you can add links and other markup. But that would have security implications as you suspect, at least Cross Site Scripting. We cannot be sure that all core or add-on code is safe for this. There may be code that says: "Your input was X, this is wrong." Then an attacker could craft a link that leads to javascript being executed, or a link to a rogue site shown.

A feature could be to let IStatusMessage.add have an extra keyword structure_safe to indicate that this message is safe to render with the structure keyword. As long as this is only possible from filesystem code, this should be safe. If you can call this from Script Python objects (or expressions, like in PloneFormGen/easyform) you open another can of worms. So maybe a new method add_safe.

Anyway, for the current case it would be best to remove the <em> tag.

@vincentfretin
Copy link
Member Author

Ok, I think I will just remove the <em> in all translations then and modify the english po as well to remove it.

@vincentfretin vincentfretin mentioned this issue Jul 1, 2020
Closed
@vincentfretin
Copy link
Member Author

See my comment collective/plone.app.locales#294 (comment)

@vincentfretin vincentfretin mentioned this issue Jul 2, 2020
Closed
28 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
01 type: bug 13 prio: normal 21 status: confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vincentfretin @mauritsvanrees