[#28103] - Don't filter form data on reload
- Fixed in Code Base
- 28 Feb 2020
- Medium
- Build: staging
- # 28103
- Diff
- SharkyKZ:patch-3
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #27919.
Summary of Changes
Joomla\CMS\MVC\Controller\FormController::reload() method filters form data before storing it to user state. This is different from behavior in save() method where we store unfiltered data. Filtering data at this point causes some issues, e.g. form values disappearing if unset filter is used.
This removes filtering.
Testing Instructions
Create two or more categories.
Create a custom field for articles.
Edit an article.
Change its category.
After page is reloaded, check Hits and Revision fields.
Expected result
Values are present.
Actual result
Values are missing.
Documentation Changes Required
IDK.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries |
| Labels |
Added:
?
|
||
What's about field Modified By? OK, that it's empty after category change and reload?
Isn't it a security issue if unfiltered data, e.g. JS-<script> in MetaDescription field is saved in the UserData/Session? If I don't save the article and just reload, keep it open, isn't it possible to access the data somewhere else? I don't know... Just asking...
What's about field Modified By? OK, that it's empty after category change and reload?
Isn't it a security issue if unfiltered data, e.g. JS-script in MetaDescription field is saved in the UserData/Session? If I don't save the article and just reload, keep it open, isn't it possible to access the data somewhere else? I don't know... Just asking...
All of this is in line with how we handle data saving. Even the Modified By field issue (this will need to be fixed separately).
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28103.
hmm I'm not sure whether this is a good idea. In the save method we use validate before saving it to the user state: https://github.com/joomla/joomla-cms/pull/28103/files#diff-86b33cf8a55249ba67537358db4a53e1L714
@SniperSister please take a look here and give your advise.
@zero-24 No, we store unfiltered data in user state:
joomla-cms/libraries/src/MVC/Controller/FormController.php
Lines 735 to 736 in 3dadc5b
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28103.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28103.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-02-28 08:20:54 |
| Closed_By | ⇒ | HLeithner | |
| Labels |
Added:
?
|
||
Thanks
What's about field
Modified By? OK, that it's empty after category change and reload?Isn't it a security issue if unfiltered data, e.g. JS-<script> in MetaDescription field is saved in the UserData/Session? If I don't save the article after category change and it's reloaded with <script> tag intact, keep article open, isn't it possible to access the data somewhere else? I don't know... Just asking...