Bug report & fix - image description containing quotes or new lines breaks dashboard page

Permalink Browser Info Environment
Found this bug on the license my customer purchased.

If an image description contains new lines or quotes, it breaks the javascript in the owl dashboard page.

My temporary fix is to remove new lines and escape the quotes at lines 1782, 1783:
image_title: '<?php echo h(preg_replace("/\s+/",' ',File::getByID($row->itemImageID)->getApprovedVersion()->getTitle()));?>',
image_description: '<?php echo h(preg_replace("/\s+/",' ',File::getByID($row->itemImageID)->getApprovedVersion()->getDescription()));?>',

This has enabled us to recover the site for now.
In the long term, a more thorough fix would be to pass the title and description to the javascript JSON encoded as that would ensure anything that needed escaping was fully escaped.

I don't know if the bug exists in the slider block view because we are using a custom block template.

Type: Discussion
Status: In Progress
View Replies:
shahroq replied on at Permalink Reply
Can you be more specific? I couldn't recreate the error on my localhost? Or send me a sql dump from `whaleOwlCarousel` table?
The description already escaped at the controller.
Thanks for reporting the issue,
JohntheFish replied on at Permalink Reply
Sorry for delay, for some reason I wasn't subscribed to replies (I should be now).

My customer created a carousel with image files, then later added descriptions to the image files using the file manager.

Those file descriptions entered through the file manager are not escaped in any way by c5.

in the owl dashboard php code the file description properties are printed out directly into the javascript, so if they contain quotes or new lines, the created javascript assignment can become broken code. (I could probably also use this to create a script injection, but that isn't a security risk here, just a simple broken script code).
shahroq replied on at Permalink Reply
I uploaded a new version ( It should fix the issue.

concrete5 Environment Information


Browser User-Agent String

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36

Hide Post Content

This will replace the post content with the message: "Content has been removed by an Administrator"

Hide Content

Request Refund

You may not request a refund that is not currently owned by you.