[#19312] - Fix plg_debug prettyPrintJSON when session variables contain HTML
- Fixed in Code Base
- 19 Oct 2019
- Medium
- Build: 3.10-dev
- # 19312
- Diff
- Sophist-UK:patch-2
- Success hound No violations found. Woof! Details
- Success continuous-integration/drone/pr the build was successful Details
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Success continuous-integration/appveyor/pr AppVeyor build succeeded Details
- Pending JTracker/HumanTestResults Human Test Results: 1 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
Issue occurred when Kunena had set a session variable of the form <strong>Some text</strong>.
json_encode was converting this to <strong>Some text<\/strong> - which was then an unclosed <strong> tag which was disrupting the remainder of the debug output.
Pull Request for Issue #19311 .
Summary of Changes
Added JSON_UNESCAPED_SLASHES to the json_encode so that closing HTML is not disrupted.
Escape any HTML in the JSON output by converting < and > to htmlentities.
Testing Instructions
- Create a session variable containing
<strong>Some text</strong>. - View session output before and after this fix.
Expected result
"<strong>Some text</strong>".
Documentation Changes Required
None
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End Plugins |
This is going to introduce side effects breaking any other non-HTML uses of < and >.
The output of json_encode is a string and has no html inside, so this should not have any impact on changing genuine html to a literal output.
OK, and if you have a session var whose value is '1 < 2'?
| Labels |
Added:
?
|
||
Then it sends html 1 < 2 to the browser which is displayed as 1 < 2.
But suppose session string contains &. We would want it displayed as & and not &. So this changes it to &amp; which is then displayed as &.
With current 3.9-dev and patchtester I get an error "Error The patch could not be applied because the repository is missing"
PR seems to work. Tested like this:
- In Isis index.php add lines
$session = JFactory::getSession();
$node = 'testtest';
$session->set($node, '<strong>Hello World!</strong> & Hello <span class="thang">Thing</span> & Hello <span class="thing">Thang</span>! After.');
- Activate debug mode in Global Configuration and save.
- See Session panel
Before patch
After patch
I have tested this item
The PR branch is removed, so added the code myself to test.
Works as expected.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19312.
JSON_UNESCAPED_SLASHES requires PHP 5.4
I have tested this item
Patch applied manually.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19312.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19312.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-10-19 21:55:49 |
| Closed_By | ⇒ | wilsonge | |
| Labels |
Added:
?
|
||
Thanks!
This is going to introduce side effects breaking any other non-HTML uses of
<and>.