[#47639] - [6.2] remove useless pseudo-xss check code in com_templates
- Ready to Commit
- Medium
- Build: 6.1-dev
- # 47639
- Diff
- SniperSister:6.1-remove-pointless-template-check
User tests: Successful: Unsuccessful:
Summary of Changes
This PR removes a completely pointless pseudo security-check in the TemplateHelper.
The code was supposed to check the last 256 chars of an uploaded file for HTML tags - which should removed for various reasons:
- the code does not work. It's using -1 as offset and will always only return the very last char - and that never matches with the tag blocklist
- HTML tags are valid content for files in the template manager, because it manages the template overrides
- the template manager allows adding/editing PHP code, it's "remote code execution" by design - don't worry about
<table>tags folks, if someone has access to your PHP files, you are screwed anyways
Why removing it now: AI agents start checking our codebase, that snippet here will very likely cause reports about the wrong offset in file_get_contents.
Testing Instructions
Code review
Actual result BEFORE applying this Pull Request
Code present
Expected result AFTER applying this Pull Request
Code gone
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_templates |
I have tested this item ✅ successfully on accde23
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47639.
I have tested this item ✅ successfully on accde23
Code review. The removed code is indeed pretty useless and reads only the last character.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47639.
I have tested this item ✅ successfully on accde23
Code review. The removed code is indeed pretty useless and reads only the last character.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47639.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
PR-6.1-dev
|
||
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47639.
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47639.
What seems a bit strange to me is that this pr is for the 6.1-dev branch.
If there is some reason not to do it in a patch version, it should go into 6.2-dev.
But if it can be done with a patch version, it can also be done in 5.4-dev (and merged up into 6.1-dev). For me that would be ok.
@muhme @HLeithner @tecpromotion What do you think?
actually that should go into 6.2
| Title |
|
||||||
| Labels |
Added:
RTC
PR-6.2-dev
Removed: PR-6.1-dev |
||
I have tested this item ✅ successfully on accde23
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47639.