Don't filter form data on reload #28103
Conversation
|
What's about field Isn't it a security issue if unfiltered data, e.g. JS-<script> in MetaDescription field is saved in the UserData/Session? If I don't save the article after category change and it's reloaded with <script> tag intact, keep article open, isn't it possible to access the data somewhere else? I don't know... Just asking... |
|
All of this is in line with how we handle data saving. Even the |
|
I have tested this item ✅ successfully on 3dadc5b This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28103. |
|
hmm I'm not sure whether this is a good idea. In the save method we use validate before saving it to the user state: https://github.com/joomla/joomla-cms/pull/28103/files#diff-86b33cf8a55249ba67537358db4a53e1L714 @SniperSister please take a look here and give your advise. |
|
@zero-24 No, we store unfiltered data in user state: joomla-cms/libraries/src/MVC/Controller/FormController.php Lines 735 to 736 in 3dadc5b |
|
I have tested this item ✅ successfully on 3dadc5b This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28103. |
|
RTC This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28103. |
|
Thanks |
6 participants
Pull Request for Issue #27919.
Summary of Changes
Joomla\CMS\MVC\Controller\FormController::reload()method filters form data before storing it to user state. This is different from behavior insave()method where we store unfiltered data. Filtering data at this point causes some issues, e.g. form values disappearing ifunsetfilter is used.This removes filtering.
Testing Instructions
Create two or more categories.
Create a custom field for articles.
Edit an article.
Change its category.
After page is reloaded, check
HitsandRevisionfields.Expected result
Values are present.
Actual result
Values are missing.
Documentation Changes Required
IDK.