CRM-21006 - Escape all title and alt attributes #6
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit opportunistically adds HTML output encoding to all Smarty
variables any time they appear within an HTML `title` or `alt`
attribute. Why? Because this helps us prevent XSS and is very very
unlikely to cause any unwanted side effects.
Code locations found by searching the `templates` directory for:
(title|alt)=(['"])((?!\2).)*\{\$((?!(\|(escape|crmDate))|\}).)+\}((?!\2).)*\2
|
Changes look fine merging |
seamuslee001
pushed a commit
that referenced
this pull request
Feb 19, 2020
Overview -------- This fixes a recent regression in which `xml/GenCode.php` fails to execute in certain configurations. Initial report: civicrm/civicrm-buildkit#503 Before ------ * If the folder `l10n` exists in its traditional location, and if you run `./bin/setup.sh -g`, then it correctly executes. * If the folder `l10n` does not exist in its traditional locacation, and if you run `./bin/setup.sh -g`, then it fails with an error like this: ``` + php -d mysql.default_host=127.0.0.1:3306 -d mysql.default_user=dmasterciv_abcde -d mysql.default_password=abcd1234 GenCode.php schema/Schema.xml '' Drupal civicrm_domain.version := 5.23.alpha1 Parsing schema description schema/Schema.xml Extracting database information Extracting table information PHP Fatal error: Uncaught RuntimeException: Invalid configuration: the [cms.root] path must be an absolute URL in /home/me/.../Civi/Core/Paths.php:174 Stack trace: #0 /home/me/.../Civi/Core/Paths.php(151): Civi\Core\Paths->toAbsoluteUrl('/', 'cms.root') #1 /home/me/.../Civi/Core/Paths.php(176): Civi\Core\Paths->getVariable('cms.root', 'url') #2 /home/me/.../Civi/Core/Paths.php(151): Civi\Core\Paths->toAbsoluteUrl('/', 'civicrm.root') #3 /home/me/.../Civi/Core/Paths.php(224): Civi\Core\Paths->getVariable('civicrm.root', 'path') #4 /home/me/.../Civi/Core/Paths.php(84): Civi\Core\Paths->getPath('l10n') #5 [internal function]: Civi\Core\Paths->Civi\Core\{closure}() #6 /home/jo in /home/me/.../Civi/Core/Paths.php on line 174 ``` After ----- You can run `./bin/setup.sh -g` with or without the `l10n` folder. Comments -------- There's an argument to be made that this shouldn't be necessary: when running `GenCode`, it should only create PHP files, and none of the output should depend on the CMS URL - because that's liable to change when you deploy the PHP code. If someone did try to generate URL at such an early stage, it's arguably good to generate an error. In point of fact, `GenCode` is not actually using the CMS URL. The oddity stems from the contract of `CRM_Utils_System_*` (specifically, `getCiviSourceStorage()` and `getDefaultFileStorage()`) which do double-duty providing both path and URL. To avoid duplicate work, `Civi\Core\Paths` uses the same grain of information - it tracks the pairs of path+URL. A more aggressive fix might be to split `getCiviSourceStorage()` and `getDefaultFileStorage()` so that it's possible to get the path and URL separately; then revise `Civi\Core\Paths` to take advantage of the finer-grained contract. However, splitting those things would be a more invasive patch, and we're currently in RC.
seamuslee001
pushed a commit
that referenced
this pull request
Sep 17, 2020
It's not that we have any specific need for these versions, but this is still alpha, and it's mostly being tested on newer platform versions.
seamuslee001
pushed a commit
that referenced
this pull request
Sep 17, 2020
seamuslee001
pushed a commit
that referenced
this pull request
Dec 7, 2021
…ion-fix)
Overview
--------
Fixes a recent regression that prevents you from uninstalling extensions via
CLI. This specifically affects extensions which use managed entities.
Steps to reproduce
------------------
```
cv en afform
cv dis afform
cv ext:uninstall afform
```
Before
-------
```
[bknix-max:~/bknix/build/dmaster/web/sites/all/modules/civicrm] cv en afform && cv dis afform && cv ext:uninstall afform
Enabling extension "org.civicrm.afform"
Disabling extension "org.civicrm.afform"
Uninstalling extension "org.civicrm.afform"
Error: API Call Failed: Array
(
[entity] => Extension
[action] => uninstall
[params] => Array
(
[keys] => Array
(
[0] => org.civicrm.afform
)
[debug] => 1
[version] => 3
)
[result] => Array
(
[error_code] => unauthorized
[entity] => Extension
[action] => uninstall
[trace] => #0 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/API/Kernel.php(147): Civi\API\Kernel->authorize(Object(Civi\Api4\Provider\ActionObjectProvider), Object(Civi\Api4\Generic\DAODeleteAction))
#1 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/Api4/Generic/AbstractAction.php(234): Civi\API\Kernel->runRequest(Object(Civi\Api4\Generic\DAODeleteAction))
#2 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/api/api.php(85): Civi\Api4\Generic\AbstractAction->execute()
#3 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/CRM/Core/ManagedEntities.php(467): civicrm_api4('OptionValue', 'delete', Array)
#4 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/CRM/Core/ManagedEntities.php(303): CRM_Core_ManagedEntities->removeStaleEntity(Object(CRM_Core_DAO_Managed))
#5 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/CRM/Core/ManagedEntities.php(134): CRM_Core_ManagedEntities->reconcileUnknownModules()
#6 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/CRM/Core/Invoke.php(409): CRM_Core_ManagedEntities->reconcile()
#7 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/CRM/Extension/Manager.php(483): CRM_Core_Invoke::rebuildMenuAndCaches(true)
#8 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/api/v3/Extension.php(183): CRM_Extension_Manager->uninstall(Array)
civicrm#9 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/API/Provider/MagicFunctionProvider.php(89): civicrm_api3_extension_uninstall(Array)
civicrm#10 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/API/Kernel.php(149): Civi\API\Provider\MagicFunctionProvider->invoke(Array)
civicrm#11 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/API/Kernel.php(81): Civi\API\Kernel->runRequest(Array)
civicrm#12 /home/me/bknix/build/dmaster/web/sites/all/modules/civicrm/api/api.php(22): Civi\API\Kernel->runSafe('Extension', 'uninstall', Array)
civicrm#13 phar:///home/me/bknix/bin/cv/src/Command/BaseCommand.php(49): civicrm_api('Extension', 'uninstall', Array)
civicrm#14 phar:///home/me/bknix/bin/cv/src/Command/ExtensionUninstallCommand.php(63): Civi\Cv\Command\BaseCommand->callApiSuccess(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput), 'Extension', 'uninstall', Array)
civicrm#15 phar:///home/me/bknix/bin/cv/vendor/symfony/console/Command/Command.php(257): Civi\Cv\Command\ExtensionUninstallCommand->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
civicrm#16 phar:///home/me/bknix/bin/cv/vendor/symfony/console/Application.php(850): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
civicrm#17 phar:///home/me/bknix/bin/cv/vendor/symfony/console/Application.php(193): Symfony\Component\Console\Application->doRunCommand(Object(Civi\Cv\Command\ExtensionUninstallCommand), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
civicrm#18 phar:///home/me/bknix/bin/cv/src/Application.php(46): Symfony\Component\Console\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
civicrm#19 phar:///home/me/bknix/bin/cv/vendor/symfony/console/Application.php(124): Civi\Cv\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
civicrm#20 phar:///home/me/bknix/bin/cv/src/Application.php(15): Symfony\Component\Console\Application->run()
civicrm#21 phar:///home/me/bknix/bin/cv/bin/cv(27): Civi\Cv\Application::main('phar:///Users/t...')
civicrm#22 /home/me/bknix/bin/cv(14): require('phar:///Users/t...')
civicrm#23 {main}
[is_error] => 1
[error_message] => Authorization failed
)
)
```
After
-----
Works
Comment
-------
I encountered this while working on E2E test-coverage for other changes.
The E2E test coverage had worked on a previous iteration of 5.45.alpha1 but
failed when I rebased. Consequently, this means
You can see a prior draft of the E2E test [here](https://github.com/totten/shimmy/blob/master-reorg/shimmy/tests/phpunit/E2E/Shimmy/LifecycleTest.php#L56-L77).
However, it's being reworked as a core patch.
I'd suggest accepting this without a test - because (a) it's a regression and (b) there will be coverage from the pending change.
totten
pushed a commit
that referenced
this pull request
Sep 19, 2024
CRM_Event_Page_EventInfoTest::testFullMessage
Exception: CRM_Extension_Exception_MissingException: "Failed to find extension: civi_mail"
#0 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/CRM/Extension/Container/Basic.php(143): CRM_Extension_Container_Basic->getRelPath("civi_mail")
#1 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/CRM/Extension/Mapper.php(233): CRM_Extension_Container_Basic->getPath("civi_mail")
#2 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/CRM/Core/Resources.php(261): CRM_Extension_Mapper->keyToBasePath("civi_mail")
#3 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/CRM/Core/Resources.php(311): CRM_Core_Resources->getPath("civi_mail")
#4 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/Civi/Angular/Manager.php(208): CRM_Core_Resources->glob("civi_mail", (Array:3))
#5 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/Civi/Angular/Manager.php(114): Civi\Angular\Manager->resolvePatterns((Array:59))
#6 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/CRM/Utils/Check/Component/Env.php(1178): Civi\Angular\Manager->getModules()
#7 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/CRM/Utils/Check/Component.php(76): CRM_Utils_Check_Component_Env->checkAngularModuleSettings(FALSE)
#8 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/CRM/Utils/Check.php(215): CRM_Utils_Check_Component->checkAll((Array:0), FALSE)
civicrm#9 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/CRM/Utils/Check.php(185): CRM_Utils_Check::checkStatus()
civicrm#10 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/CRM/Utils/Check.php(93): CRM_Utils_Check::checkAll()
civicrm#11 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/CRM/Core/Page.php(267): CRM_Utils_Check->showPeriodicAlerts()
civicrm#12 /home/homer/buildkit/build/build-3/web/sites/all/modules/civicrm/CRM/Event/Page/EventInfo.php(325): CRM_Core_Page->run()
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit opportunistically adds HTML output encoding to all Smarty
variables any time they appear within an HTML
titleoraltattribute. Why? Because this helps us prevent XSS and is very very
unlikely to cause any unwanted side effects.
Code locations found by searching the
templatesdirectory for: