Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#17324] - Comment for non-escaped $result->title

?
avatar nicksavov
nicksavov
28 Jul 2017

Steps to reproduce the issue

  1. Check out https://github.com/joomla/joomla-cms/pull/16484/files
  2. Note that the security checks (i.e. the escapes) get moved to view.html.php (via the htmlspecialchars)

Expected result

A comment to let a future coder know why it's not escaped

Actual result

There's no comment

System information (as much as possible)

N/A

Additional comments

Adding the comment could be important for someone that looks at the file later down the road. They'd see that other variables are escaped, but those two aren't, and wonder why. A person might even submit code to escape it.

avatar nicksavov nicksavov - open - 28 Jul 2017
avatar joomla-cms-bot joomla-cms-bot - change - 28 Jul 2017
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 28 Jul 2017
avatar ggppdk
ggppdk - comment - 29 Jul 2017

I would say to add a new property to the record

like
$result->title_escaped_highlighted

and leave $result->title untouched
since the way it is modified now it is inconsistent with all other template files

avatar franz-wohlkoenig franz-wohlkoenig - change - 29 Jul 2017
Category com_search
avatar franz-wohlkoenig franz-wohlkoenig - change - 29 Jul 2017
Status New Discussion
avatar tonypartridge
tonypartridge - comment - 2 Aug 2017

@weeblr can you please add a comment on the reason from removing the escape?

avatar franz-wohlkoenig franz-wohlkoenig - change - 3 Aug 2017
Status Discussion Information Required
avatar weeblr
weeblr - comment - 3 Aug 2017

See #17401

avatar ggppdk
ggppdk - comment - 3 Aug 2017

@weeblr
nice , thanks for your works

just it would have been better if a new property was added:
$result->title_escaped_search_highlighted (or a shorter one)

this way
-- the original issue would have been fixed
-- existing templates overrides would not need to be updated
-- consistent with all other template files where the ->title is not passed escaped, and it is also the original text unmodified

avatar tonypartridge
tonypartridge - comment - 4 Aug 2017

@ggppdk whilst I see your point.. had the template developers followed the default Joomla! template all would be well.

avatar ggppdk
ggppdk - comment - 4 Aug 2017

@tonypartridge

but since which date they should:

had the template developers followed the default Joomla! template all would be well.

before the date that the change was introduced or after the date the change was introduced ?
anyway personally i care little of this, i think this can now be closed

avatar tonypartridge
tonypartridge - comment - 4 Aug 2017

The problem is the developers have used escape around the title something which is common in Wordpress since they don't really sanitise any data naturally.

But it's not needed in Joomla! at this level which we are rendering the template the content should already be escaped at the tmpl level.

avatar nicksavov
nicksavov - comment - 4 Aug 2017

Thanks for everyone's input! I think this issue is resolved now. But, if there's still a concern about a new property, please open a new issue report for it.

avatar nicksavov nicksavov - change - 4 Aug 2017
Status Information Required Closed
Closed_Date 0000-00-00 00:00:00 2017-08-04 18:21:15
Closed_By nicksavov
avatar nicksavov nicksavov - close - 4 Aug 2017

Add a Comment

Login with GitHub to post a comment