[#24161] - COM_CPANEL_MSG_ADDNOSNIFF_BODY message should not include code
- Closed
- 1 Jan 2021
- Medium
- Build: staging
- # 24161
Steps to reproduce the issue
The Post install language string on security update for .htacess files includes code for the recommended manual change in the files
See: /administrator/language/en-GB/en-GB.com_cpanel.ini
Expected result
Code should not be present in the language string to avoid errors from translators or if it requires an update to the code itself on a future release. There should be the alert but the code to change .htacess should be placed in Joomla docs and a link provided.
Actual result
Actual string:
COM_CPANEL_MSG_ADDNOSNIFF_BODY="<p>Joomla is now shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in web browsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (eg images) will be executed, leading to Cross-Site-Scripting vulnerabilities.</p><p>The security team recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.</p><p><strong>Changes for .htaccess</strong><br />Add the following lines before \"## Mod_rewrite in use.\":</p><pre><IfModule mod_headers.c>\nHeader always set X-Content-Type-Options \"nosniff\"\n</IfModule></pre><p><strong>Changes for web.config</strong><br />Add the following lines right after \"</rewrite>\":</p><pre><httpProtocol>\n <customHeaders>\n <add name=\"X-Content-Type-Options\" value=\"nosniff\" />\n </customHeaders>\n</httpProtocol></pre>"
System information (as much as possible)
Joomla stagging
Additional comments
joomla-cms-bot
- | Labels |
Added:
?
|
||
franz-wohlkoenig
- | Status | New | ⇒ | Discussion |
Sorry Brian, but that is not relevant.
One can be a good translator and know that he don't have to translate HTML tags and still make errors on that string. Because the string indeed is quite complex and has a lot of code and escaped special characters in it.
His suggestion was to move part of the string (the .htaccess / webconfig changes) to a documentation page and place a link into the message instead. Doesn't sound like a bad idea to me.
all the code and escaped characters is in the part not to be translated
Perhaps replace it with a link to a diff instead. Less to explain, make it visual when its not supposed to be translated anyway.
all the code and escaped characters is in the part not to be translated
Yep, and that's why it shouldn't be in the language string, if possible. In a postinstall, we can't use sprintf to insert it (which we would do in all other similar places), so using a link to a doc page (or diff or whatever) would achieve the same.
@brianteeman I don't see why you resist that idea so strongly. What is the issue with having a link instead?
As a user, I like that I can just copy-paste the code directly from the message and don't have to follow a link to a page. Perhaps it is just me being lazy :)
Since it is a code fragment, can't it have it's own language string and we combine them in the output with sprintf? You just would not need to translate that particular string.
I have already been looking into this.
The JText::_ is global
https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_postinstall/views/messages/tmpl/default.php#L58
Using a sprintf there would imply defining the variable when necessary (in this case the code snippet).
Only possibility I see would be to add a column in the #__postinstall_messages table where such snippets would be added when necessary.
For 4.0 ?
As a user, I like that I can just copy-paste the code directly from the message and don't have to follow a link to a page. Perhaps it is just me being lazy :)
Since you can't directly edit the file in your browser and likely need FTP it's not that easy anyway.
A doc page could even have additional information, nicely formatted code snippets and whatever.
Since it is a code fragment, can't it have it's own language string and we combine them in the output with sprintf? You just would not need to translate that particular string.
To my knowledge, that isn't possible for postinstall messages.
and likely need FTP
Let's promote SFTP/SSH :)
| Category | ⇒ | com_cpanel |
| Labels |
Added:
J3 Issue
|
||
jwaisner
- | Status | Discussion | ⇒ | Confirmed |
chmst
- | Status | Confirmed | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-01-01 18:39:15 |
| Closed_By | ⇒ | chmst |
sorry but if a translator is not able to understand that they should not be translating that code then I seriously wonder if they are knowledgeable enough to successfully translate any part of joomla