Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ReferenceError on saving if field name contains a - for some fieldtypes #7619

Closed
rrelmy opened this issue Feb 28, 2023 · 4 comments
Closed

ReferenceError on saving if field name contains a - for some fieldtypes #7619

rrelmy opened this issue Feb 28, 2023 · 4 comments

Comments

@rrelmy
Copy link
Contributor

rrelmy commented Feb 28, 2023

Bug description

Saving an entry shows a toasty with an error message of «ReferenceError: text is not defined» (text depends on the fieldname)

Error happens on this line

cms/resources/js/components/publish/Values.js

Line 77 in 24aca57

let fieldValue = eval(jsPath);

as jsPath reassembles something like values.breaking-text.

How to reproduce

  1. Create a blueprint with a Bard field having a handle breaking-text.
  2. Create an entry
  3. Click save

Better don't ask what happens when handle is bard_field;alert("hacked").
This is a stored XSS issue as you can put any JS code in the handle!

Logs

ReferenceError: text is not defined


This started to happen somewhere around statamic 3.3.40 I would say and is still valid in 3.4.
In earlier versions (incl. v2) this was not an issue.

Environment

Environment
Application Name: Foo
Laravel Version: 9.52.4
PHP Version: 8.1.15
Composer Version: 2.5.4
Environment: local
Debug Mode: ENABLED
URL: foo.localhost
Maintenance Mode: OFF

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: null
Cache: statamic
Database: mysql
Logs: stack / daily
Mail: log
Queue: sync
Session: file

Statamic
Addons: 4
Antlers: runtime
Stache Watcher: Enabled
Static Caching: half
Version: 3.4.4 PRO

Statamic Addons
statamic/migrator: dev-master
statamic/seo-pro: 4.0.1

Installation

Fresh statamic/statamic site via CLI

Antlers Parser

runtime (new)

Additional details

No response
@rrelmy
Copy link
Contributor Author

rrelmy commented Feb 28, 2023

The issue has been introduce in v3.3.7 with #5805, no clue how we did not notice this issue earlier as this page was migrated from v2 to v3.2

@jasonvarga
Copy link
Member

You should avoid using variable names with dashes. If you change to underscores you should be okay.

@rrelmy
Copy link
Contributor Author

rrelmy commented Mar 9, 2023
edited

@jasonvarga Then better add validation to the field to prevent that.
We renamed our fields in that project.

And please take care of the comand injection, this is a security issue!

@duncanmcclean
Copy link
Member

We've added better validation for field handles in #9039. They can now only contain letters, numbers and underscores.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jasonvarga @rrelmy @duncanmcclean