dev/core#1328 Add define to optionally enable escape-on-output #21956
Conversation
|
(Standard links)
|
eileenmcnaughton
force-pushed
the
escape2
branch
from
0b48de1 to
1713ca7
Compare
|
test this please |
|
@seamuslee001 @demeritcowboy it would make it easier to work on this if we could merge this one - since the presence or not of the function can be a bit of a pain between branches - given it is compiled into the templates |
|
What is the security team's take on the whole approach? i.e. is there concept approved? That's been my main hesitation from single handedly approving the various PRs. |
|
@demeritcowboy yeah - I chatted with @seamuslee001 & @totten today & explained where it was at & the various aspects. I think the mood was generally 'yeah ok' - I do hope that once the basics are working we might get some early adoption in dev environments from people like @pfigel & @adixon - the key parts are
|
|
I just added a comment here too https://lab.civicrm.org/dev/core/-/issues/1328#note_66924 |
eileenmcnaughton
changed the title
|
Ok thanks. One thing is that it seems to do double-escaping for any template that already has Related but separate, it should probably check that escape isn't already in the default_modifiers list before adding it. Otherwise I don't see any issues. |
|
I love the concept! Looking forward to trying it out. |
This adjusts the smarty class such that if you have the define below escape-on-output is enabled This PR + fixing the use of isset in the template layer are the pre-requisites for turning escape on output on and off. Keeping this part in an unmerged branch is tricky as the templates need to be recompiled when you switch to a branch which does not have this function I envisage us starting to use this define in our dev environments fairly soon as it's working well locally for me on civicrm#21935
eileenmcnaughton
force-pushed
the
escape2
branch
from
1713ca7 to
737a778
Compare
|
@demeritcowboy I've fixed it to check for the modifier On the double escape - I guess we just need to add smarty:nodefaults - we can't remove the existing escapes |
| if (!isset($this->_plugins['modifier']['escape'])) { | ||
| $this->register_modifier('escape', ['CRM_Core_Smarty', 'escape']); | ||
| } | ||
| $this->default_modifiers[] = 'escape:"htmlall"'; |
There was a problem hiding this comment.
Sorry what I meant was suppose $this->default_modifiers already contains something like escape:"html". Then everything would end up with double-escaping.
There was a problem hiding this comment.
@demeritcowboy but then why would you add the define if you had some other method adding in a default modifier?
Overview
Add define to optionally enable escape-on-output
This PR + fixing the use of isset in the template layer are the pre-requisites for
turning escape on output on and off. Keeping this part in an unmerged branch is
tricky as the templates need to be recompiled when you switch to a branch
which does not have this function
I envisage us starting to use this define in our dev environments fairly soon
as it's working well locally for me on
#21935
Before
Only smarty variables specifically piped to
escapeare escapedAfter
If you add the following define
Then all variables are escaped.
Technical Details
Note that with this PR if you uncomment the above define your site will crash as long as there are calls to
issetin the smarty templates. All of those calls have been removed in #21935 - but not with adequate care (and with some errors) . Merging this helps the process of working through those and the enotice issues since it makes it easier to switch back & forth between having default esaping on & offComments
#21979 is open as one PR removal of isset in the template & a bunch of those would need to be merged
https://lab.civicrm.org/dev/core/-/issues/1328#note_66924