? ? Pending

User tests: Successful: Unsuccessful:

avatar SharkyKZ
SharkyKZ
1 Jun 2020

Summary of Changes

Some code simplification.

Testing Instructions

Open any form containing a switcher field.
Inspect the switcher.

Expected result

Works like before.

Documentation Changes Required

No.

avatar SharkyKZ SharkyKZ - open - 1 Jun 2020
avatar SharkyKZ SharkyKZ - change - 1 Jun 2020
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 1 Jun 2020
Category Layout
avatar Quy Quy - test_item - 1 Jun 2020 - Tested successfully
avatar Quy
Quy - comment - 1 Jun 2020

I have tested this item successfully on 2d60713


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29370.

avatar richard67 richard67 - test_item - 1 Jun 2020 - Tested successfully
avatar richard67
richard67 - comment - 1 Jun 2020

I have tested this item successfully on 2d60713


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29370.

avatar richard67 richard67 - change - 1 Jun 2020
Status Pending Ready to Commit
avatar richard67
richard67 - comment - 1 Jun 2020

RTC


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29370.

avatar richard67 richard67 - change - 1 Jun 2020
Labels Added: ? ?
avatar brianteeman
brianteeman - comment - 1 Jun 2020

I am not sure about this

The simplification of the sanitization of the value seems wrong to me. If I read this correctly (I might not be) instead of the htmpspecialchars and utf8 checks it is being restricted to the basic string. Which i think would prevent utf8 characters etc.

avatar SharkyKZ
SharkyKZ - comment - 1 Jun 2020

@brianteeman It's still using htmlspecialchars() with UTF-8 encoding:

public function escape($output)
{
return htmlspecialchars($output, ENT_QUOTES, 'UTF-8');
}

avatar brianteeman
brianteeman - comment - 1 Jun 2020

Isnt that taking place after you have already reduced it to a string?

avatar SharkyKZ
SharkyKZ - comment - 2 Jun 2020

Actually it appears to already be a string so another cast isn't even necessary:

$value = (string) $option['value'];

It makes no difference anyways.

avatar wilsonge
wilsonge - comment - 7 Jun 2020

htmlspecialchars will only work with a string - so it must already have been a string when escaped so pretty sure the string conversion is fine.

Moving to the escape function is probably good because it's using ENT_QUOTES rather than ENT_COMPAT which I guess might be usable for some sort of XSS attack if single quotes aren't encoded.

All in all having looked I think the proposed change there is fine. Although thankyou for flagging it when you were unsure!

avatar wilsonge wilsonge - change - 7 Jun 2020
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2020-06-07 12:55:08
Closed_By wilsonge
Labels
avatar wilsonge wilsonge - close - 7 Jun 2020
avatar wilsonge wilsonge - merge - 7 Jun 2020

Add a Comment

Login with GitHub to post a comment