WIP - optin escape on output for smarty #21935
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
(Standard links)
|
|
test this please |
|
The find/replace is backwards I think (isset would become !empty), although I'm not clear yet on what this is actually about. For example I don't see what's wrong with the original here: https://github.com/civicrm/civicrm-core/pull/21935/files#diff-6c8cfb09c10a673dc77c3bfef2a71abca2cd0d1860752ace4929f89021ea3fdcL11 |
|
@demeritcowboy yeah - I only searched for isset as a quick & dirty - I guess all the `!isset ones will be wrong. isset doesn't work on the output from a function - & if you enable filtering by default that is what you are working with. Filter on output means every variable used in a smarty template is escaped - & hence is the output of an escaping function. In order to not white screen I carved out a whole lotta exceptions - but at this stage the site is loading for me with it & I can edit contacts & a few other things which is further than I've ever gotten before. Those issets will need to be picked off 1 by 1 though. |
|
Ahhhh. |
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Oct 29, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
This was referenced Oct 29, 2021
CRM/Core/Smarty.php
Outdated
| $this->register_modifier('escape', ['CRM_Core_Smarty', 'escape']); | ||
|
|
||
| if (CRM_Utils_Constant::value('CIVICRM_SMARTY_DEFAULT_ESCAPE')) { | ||
| $this->default_modifiers = ['escape:"htmlall"']; |
There was a problem hiding this comment.
Should this be appending to the default_modifiers array, in case it's already set?
There was a problem hiding this comment.
yeah makes sense
524b4e5 to
cd406aa
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Oct 29, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
bc1f197 to
fd33c35
Compare
|
I'm surprised by the behavior you're describing because it's different than what I'm used to in Angular templates. In Angular-js, when you write something like |
|
Smarty doesn't escape anything, the |
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Oct 31, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
fd33c35 to
7b0af45
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Oct 31, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
308ab5d to
d13dbd4
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Oct 31, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
8019054 to
d09438f
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 1, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
d09438f to
6e19edd
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 1, 2021
This adjusts the smarty class such that if you have the define below escape-on-output is enabled This PR + fixing the use of isset in the template layer are the pre-requisites for turning escape on output on and off. Keeping this part in an unmerged branch is tricky as the templates need to be recompiled when you switch to a branch which does not have this function I envisage us starting to use this define in our dev environments fairly soon as it's working well locally for me on civicrm#21935
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 1, 2021
This adjusts the smarty class such that if you have the define below escape-on-output is enabled This PR + fixing the use of isset in the template layer are the pre-requisites for turning escape on output on and off. Keeping this part in an unmerged branch is tricky as the templates need to be recompiled when you switch to a branch which does not have this function I envisage us starting to use this define in our dev environments fairly soon as it's working well locally for me on civicrm#21935
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 1, 2021
This adjusts the smarty class such that if you have the define below escape-on-output is enabled This PR + fixing the use of isset in the template layer are the pre-requisites for turning escape on output on and off. Keeping this part in an unmerged branch is tricky as the templates need to be recompiled when you switch to a branch which does not have this function I envisage us starting to use this define in our dev environments fairly soon as it's working well locally for me on civicrm#21935
|
Just adding some thoughts for when this gets to dev-docs stage: A file that looks like https://github.com/civicrm/civicrm-core/pull/21939/files where the new default is now about half of the instances leads to an awkward looking file, and difficult for devs to know what to use when and makes it security-issue-prone. It sounds like the desired order from best to worst would be:
|
|
@demeritcowboy that sounds right - that file is an outlier in terms of awkwardness though - the array is compiled in multiple places making 2 quite tricky & there is very little in that file that is not at risk of not being set. |
9650905 to
3b87305
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 10, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
3b87305 to
8e8b1f0
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 10, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
8e8b1f0 to
bb5f26d
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 11, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
bb5f26d to
cf4893d
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 11, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
cf4893d to
4b95532
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 12, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
4b95532 to
96f8151
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 12, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
96f8151 to
872f549
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 13, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
872f549 to
c549150
Compare
eileenmcnaughton
added a commit
to eileenmcnaughton/civicrm-core
that referenced
this pull request
Nov 14, 2021
Per civicrm#21935 it turns out isset will be a blocker to ever doing escape on output so switching a couple of places to empty. In the last case empty doesn't cut it so I added smarty:nodefaults so that it would not be escaped. isset doesn't work on the out put from a function
c549150 to
5d0ebfc
Compare
5d0ebfc to
d848fee
Compare
These should always be set via CRM_Core_Invoke. That is not the case in the tested hook but I think it 'really' would go through there so setting in the test
As seen on civicrm/admin/options/acl_role?reset=1
d848fee to
c256b07
Compare
|
I don't think this PR adds value now - it was conceptual but the parts are addressed elsewhere |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
WIP - optin escape on output for smarty.
This adds a 'strict mode' - it is not expected to be used in strict mode on live sites at the moment but allows devs to turn it on
Before
Status quo
After
No change unless you add
(or use env to set the same)
AND delete templates_c
If you do you get a 'mostly functional' site with escape on output enabled - with a bunch of holes punched through.
Anything actually changed during escaping is logged to the civi log
Technical Details
The key parts to this are
issetin templates - even though we just added it .... Isset is not compatible with variables being escaped. I did a really rough find & replace here but it will need a more careful pass to get merged. We can pick these offThat works in smarty 2 & smarty 3 and says 'do not apply any default modifiers'. We currently don't have any default modifiers but default -escaping is a default modifier
Comments