Bug report & fix - image description containing quotes or new lines breaks dashboard page
Permalink Browser Info Environment
Found this bug on the license my customer purchased.
packages/whale_owl_carousel/single_pages/dashboard/files/whale_owl_carousel/view.php
If an image description contains new lines or quotes, it breaks the javascript in the owl dashboard page.
My temporary fix is to remove new lines and escape the quotes at lines 1782, 1783:
This has enabled us to recover the site for now.
In the long term, a more thorough fix would be to pass the title and description to the javascript JSON encoded as that would ensure anything that needed escaping was fully escaped.
I don't know if the bug exists in the slider block view because we are using a custom block template.
packages/whale_owl_carousel/single_pages/dashboard/files/whale_owl_carousel/view.php
If an image description contains new lines or quotes, it breaks the javascript in the owl dashboard page.
My temporary fix is to remove new lines and escape the quotes at lines 1782, 1783:
image_title: '<?php echo h(preg_replace("/\s+/",' ',File::getByID($row->itemImageID)->getApprovedVersion()->getTitle()));?>', image_description: '<?php echo h(preg_replace("/\s+/",' ',File::getByID($row->itemImageID)->getApprovedVersion()->getDescription()));?>',
This has enabled us to recover the site for now.
In the long term, a more thorough fix would be to pass the title and description to the javascript JSON encoded as that would ensure anything that needed escaping was fully escaped.
I don't know if the bug exists in the slider block view because we are using a custom block template.
Type: | Discussion |
---|---|
Status: | In Progress |
Sorry for delay, for some reason I wasn't subscribed to replies (I should be now).
My customer created a carousel with image files, then later added descriptions to the image files using the file manager.
Those file descriptions entered through the file manager are not escaped in any way by c5.
in the owl dashboard php code the file description properties are printed out directly into the javascript, so if they contain quotes or new lines, the created javascript assignment can become broken code. (I could probably also use this to create a script injection, but that isn't a security risk here, just a simple broken script code).
My customer created a carousel with image files, then later added descriptions to the image files using the file manager.
Those file descriptions entered through the file manager are not escaped in any way by c5.
in the owl dashboard php code the file description properties are printed out directly into the javascript, so if they contain quotes or new lines, the created javascript assignment can become broken code. (I could probably also use this to create a script injection, but that isn't a security risk here, just a simple broken script code).
Hi,
I uploaded a new version (2.5.7.3). It should fix the issue.
Cheers,
I uploaded a new version (2.5.7.3). It should fix the issue.
Cheers,
Can you be more specific? I couldn't recreate the error on my localhost? Or send me a sql dump from `whaleOwlCarousel` table?
The description already escaped at the controller.
Thanks for reporting the issue,
Cheers,