Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API result values should be literal strings rather than HTML entities (Maybe a bug?) #7682

Open
Sxderp opened this issue Dec 20, 2019 · 19 comments
Open

API result values should be literal strings rather than HTML entities (Maybe a bug?) #7682

Sxderp opened this issue Dec 20, 2019 · 19 comments

Comments

@Sxderp
Copy link
Contributor

Sxderp commented Dec 20, 2019

Server (please complete the following information):

  • Snipe Version: 4.7.7
  • OS: RHEL 7
  • Web Server: Apache
  • PHP Version: 7.1

Is your feature request related to a problem? Please describe.
When fetching assets that have certain characters in field values or model name those characters are turned into HTML entities. The HTML entities are returned in the API output. The escaping seems to happen in the "Transformer" classes.

Reproduce:

  1. Create a Model with a " in the name.
  2. Create an asset with that model.
  3. Query that asset using the API.
  4. Examine API output. The model name will contain the HTML entity ".

Describe the solution you'd like
The API should return literal strings.

Describe alternatives you've considered
Manually un-escaping the HTML entities in my scripts.
@stale
Copy link

stale bot commented Feb 18, 2020

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

@stale stale bot added the stale label Feb 18, 2020
@Sxderp
Copy link
Contributor Author

Sxderp commented Feb 22, 2020

yes

@stale
Copy link

stale bot commented Feb 22, 2020

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

@stale stale bot removed the stale label Feb 22, 2020
@stale
Copy link

stale bot commented Apr 23, 2020

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

@stale stale bot added the stale label Apr 23, 2020
@Sxderp
Copy link
Contributor Author

Sxderp commented Apr 23, 2020

yes

@stale
Copy link

stale bot commented Apr 23, 2020

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

@stale stale bot removed the stale label Apr 23, 2020
@travismiller
Copy link
Contributor

This is unexpected behavior. I would expect the API to output data exactly as input.

Unfortunately, changing this would be a breaking change as existing code is likely expecting current behavior.

It would be good to get this included in v5 with maybe an optional configuration and/or parameter for handling this as desired in v4.

This is something I may be able to help with.

@travismiller travismiller mentioned this issue Jun 4, 2020
Closed
8 tasks
@stale
Copy link

stale bot commented Aug 8, 2020

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

@stale stale bot added the stale label Aug 8, 2020
@travismiller
Copy link
Contributor

travismiller commented Aug 8, 2020 via email

@stale
Copy link

stale bot commented Aug 8, 2020

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

@stale stale bot removed the stale label Aug 8, 2020
@stale
Copy link

stale bot commented Oct 12, 2020

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

@stale stale bot added the stale label Oct 12, 2020
@Sxderp
Copy link
Contributor Author

Sxderp commented Oct 12, 2020

Yes

@stale
Copy link

stale bot commented Oct 12, 2020

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

@stale stale bot removed the stale label Oct 12, 2020
@stale
Copy link

stale bot commented Dec 25, 2020

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

@stale stale bot added the stale label Dec 25, 2020
@travismiller
Copy link
Contributor

travismiller commented Dec 25, 2020 via email

@stale
Copy link

stale bot commented Dec 25, 2020

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

@stale stale bot removed the stale label Dec 25, 2020
@mattcarras
Copy link

+1

My scripts unescape all returned strings as I'm not exactly sure which strings may have HTML entities in them.

@snipe
Copy link
Owner

snipe commented Aug 24, 2022

This would leave us open to XSS attacks everywhere that we consume the API.

@bby-bishopclark
Copy link

is 9cf5f30 a response to this, or unrelated?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@snipe @travismiller @Sxderp @mattcarras @bby-bishopclark