[#44717] - [5.2] Fix unescaped slashes break markup in script tag
- Ready to Commit
- Medium
- Build: 5.2-dev
- # 44717
- Diff
- janschoenherr:patch-21
User tests: Successful: Unsuccessful:
With the below change, slashes in markup, added as script option, are no longer correctly escaped.
Please also see: https://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2
When script or style data is the content of an element (SCRIPT and STYLE), the data begins immediately after the element start tag and ends at the first ETAGO ("</") delimiter followed by a name start character ([a-zA-Z]); note that this may not be the element's end tag. Authors should therefore escape "</" within the content. Escape mechanisms are specific to each scripting or style sheet language.
Summary of Changes
Remove the JSON_UNESCAPED_SLASHES flag.
Testing Instructions
Add the following code to any controller action. e.g. DisplayController::display() in administrator/components/com_content/src/Controller/
\Joomla\CMS\Factory::getApplication()->getDocument()->addScriptOptions('test', '</script>');
Browse to the corresponding page.
Actual result BEFORE applying this Pull Request
It will break the resulting markup, because the slash in </script> is not escaped.
Expected result AFTER applying this Pull Request
The resulting markup correctly escapes the slash in </script>.
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries |
I do not know any good reason to store the <script> tag in JS options.
I would close it as "do not won't to fix".
I do not know any good reason to store the <script> tag in JS options.
Hi, we had a Joomla 3rd party extension crash our users sites.
https://extensions.joomla.org/extension/content-export-article/
They add the article html into the JS options.
Is there a specific reason why you do not want the slashes to be escaped?
I can understand your frustration.
They add the article html into the JS options.
This is valid reason, but it is not a good reason, especialy when it contains script, that can lead to self xss.
Is there a specific reason why you do not want the slashes to be escaped?
Reduce size of json output. And to avoid unnecessary computation.
(Use of </script> is very edge case.)
In any case I will not block this PR, when other maintainers decide we need it, it can be merged.
I have tested this item ✅ successfully on dd579f5
It is works but look my previous comment.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44717.
Is there a specific reason why you do not want the slashes to be escaped?
surely that is a security risk?
surely that is a security risk?
no, json does not need escaped slashes.
I have tested this item ✅ successfully on dd579f5
I have tested this item ✅ successfully on dd579f5
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44717.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
bug
RMDQ
PR-5.2-dev
|
||
RTC but also RMDQ (release managers decision queue)
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44717.
@Fedik