Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#44717] - [5.2] Fix unescaped slashes break markup in script tag

Pending

User tests: Successful: Unsuccessful:

avatar janschoenherr
janschoenherr
10 Jan 2025

With the below change, slashes in markup, added as script option, are no longer correctly escaped.

3392240
#41330

Please also see: https://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2

When script or style data is the content of an element (SCRIPT and STYLE), the data begins immediately after the element start tag and ends at the first ETAGO ("</") delimiter followed by a name start character ([a-zA-Z]); note that this may not be the element's end tag. Authors should therefore escape "</" within the content. Escape mechanisms are specific to each scripting or style sheet language.

Summary of Changes

Remove the JSON_UNESCAPED_SLASHES flag.

Testing Instructions

Add the following code to any controller action. e.g. DisplayController::display() in administrator/components/com_content/src/Controller/

\Joomla\CMS\Factory::getApplication()->getDocument()->addScriptOptions('test', '</script>');

Browse to the corresponding page.

Actual result BEFORE applying this Pull Request

It will break the resulting markup, because the slash in </script> is not escaped.

Expected result AFTER applying this Pull Request

The resulting markup correctly escapes the slash in </script>.

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar janschoenherr janschoenherr - open - 10 Jan 2025
avatar janschoenherr janschoenherr - change - 10 Jan 2025
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 10 Jan 2025
Category Libraries
avatar QuyTon
QuyTon - comment - 5 Feb 2025

@Fedik

avatar Fedik
Fedik - comment - 6 Feb 2025

I do not know any good reason to store the <script> tag in JS options.
I would close it as "do not won't to fix".

avatar janschoenherr
janschoenherr - comment - 6 Feb 2025

@Fedik

I do not know any good reason to store the <script> tag in JS options.

Hi, we had a Joomla 3rd party extension crash our users sites.
https://extensions.joomla.org/extension/content-export-article/

They add the article html into the JS options.

Is there a specific reason why you do not want the slashes to be escaped?

avatar Fedik
Fedik - comment - 6 Feb 2025

I can understand your frustration.

They add the article html into the JS options.

This is valid reason, but it is not a good reason, especialy when it contains script, that can lead to self xss.

Is there a specific reason why you do not want the slashes to be escaped?

Reduce size of json output. And to avoid unnecessary computation.
(Use of </script> is very edge case.)

In any case I will not block this PR, when other maintainers decide we need it, it can be merged.

avatar Fedik Fedik - test_item - 6 Feb 2025 - Tested successfully
avatar Fedik
Fedik - comment - 6 Feb 2025

I have tested this item ✅ successfully on dd579f5

It is works but look my previous comment.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44717.

avatar brianteeman
brianteeman - comment - 6 Feb 2025

Is there a specific reason why you do not want the slashes to be escaped?

surely that is a security risk?

avatar Fedik
Fedik - comment - 6 Feb 2025

surely that is a security risk?

no, json does not need escaped slashes.

Add a Comment

Login with GitHub to post a comment