Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#34514] - [4.0] Allow form elements in a subform template (sanitisation)

NPM Resource Changed ? ? Pending

User tests: Successful: Unsuccessful:

avatar dgrammatiko
dgrammatiko
14 Jun 2021

Pull Request for Issue #34512 (the subform part) .

Summary of Changes

  • Revert the sanitisation here

Testing Instructions

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Documentation Changes Required

@wilsonge can you push the button here?

avatar dgrammatiko dgrammatiko - open - 14 Jun 2021
avatar dgrammatiko dgrammatiko - change - 14 Jun 2021
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 14 Jun 2021
Category JavaScript Repository NPM Change
avatar dgrammatiko dgrammatiko - change - 14 Jun 2021
The description was changed
avatar dgrammatiko dgrammatiko - edited - 14 Jun 2021
avatar Fedik
Fedik - comment - 14 Jun 2021

hm, do we really need cleaning for subform "template"?
it can be pretty complex for a forms, there may be fields with custom element, and fields with onclick attributes

avatar dgrammatiko dgrammatiko - change - 14 Jun 2021
Labels Added: NPM Resource Changed ?
avatar dgrammatiko
dgrammatiko - comment - 14 Jun 2021

and fields with onclick attributes

This is exactly what's not allowed and what the sanitizer is supposed to clean ?

avatar Fedik
Fedik - comment - 14 Jun 2021

then subfrom will be broken for these fields,
there may be fields that use it

avatar dgrammatiko
dgrammatiko - comment - 14 Jun 2021

then subfrom will be broken for these fields, there may be fields that use it

Hard call (thankfully not my call). Allowing inline on-events is XSS prone. Disallowing on-events is stricter but probably all elements will be required to be defined custom-elements (own constructor etc). I'm ok reverting this. @wilsonge your call...

avatar Fedik
Fedik - comment - 14 Jun 2021

I understood the intention, and it good one.
but it pretty hard.

avatar dgrammatiko
dgrammatiko - comment - 14 Jun 2021

I understood the intention, and it good one.
but it pretty hard.

Till there's a viable solution for sanitization of the subform templates the changes have been reverted

avatar dgrammatiko dgrammatiko - change - 14 Jun 2021
The description was changed
avatar dgrammatiko dgrammatiko - edited - 14 Jun 2021
avatar joomdonation joomdonation - test_item - 15 Jun 2021 - Tested successfully
avatar joomdonation
joomdonation - comment - 15 Jun 2021

I have tested this item successfully on 934208e

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34514.

avatar alikon alikon - test_item - 15 Jun 2021 - Tested successfully
avatar alikon
alikon - comment - 15 Jun 2021

I have tested this item successfully on 934208e

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34514.

avatar alikon alikon - change - 15 Jun 2021
Status Pending Ready to Commit
avatar alikon
alikon - comment - 15 Jun 2021

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34514.

avatar richard67 richard67 - close - 15 Jun 2021
avatar richard67 richard67 - merge - 15 Jun 2021
avatar richard67 richard67 - change - 15 Jun 2021
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2021-06-15 07:02:13
Closed_By richard67
Labels Added: ?
avatar richard67
richard67 - comment - 15 Jun 2021

Thanks!

Add a Comment

Login with GitHub to post a comment