flangefrog Posted March 11, 2014 Report Posted March 11, 2014 Just a small issue with the feed reader plugin here. I'm sure you're aware it, but the HTML special characters are getting encoded twice, making an ampersand display as & (& in the source). I would look into this myself but it will probably be a lot quicker for the original developer, and I'm currently busy with work and creating my Web Drive module. Quote
flangefrog Posted April 3, 2014 Author Report Posted April 3, 2014 Ok, I've found the problem: /plugins/feed_reader/views/default/admin_main.pdt Line 19, Column 145 Replace <?php $this->Html->_($articles[$i]->data['title']);?> With <?php echo $this->Html->ifSet($articles[$i]->data['title']);?> Any chance you could add this fix (or an equivalent one) to the core? Quote
Paul Posted April 3, 2014 Report Posted April 3, 2014 CORE-1123, thanks for the report! Michael and flangefrog 2 Quote
flangefrog Posted April 7, 2014 Author Report Posted April 7, 2014 In addition to the above, it looks like the same thing needs to be done for the URLs. URLs like index.php?foo&bar are encoded like index.php?foo&bar. /plugins/feed_reader/views/default/admin_main.pdt Line 19 Column 75 Replace <?php $this->Html->_($articles[$i]->data['link']);?> With <?php echo $this->Html->ifSet($articles[$i]->data['link']);?> Quote
Cody Posted April 27, 2014 Report Posted April 27, 2014 "index.php?foo&bar" is the correct way to encode URIs. Are you saying the URI is doubly encoded (as in "index.php?foo&bar")? That would be a problem. Your fix, from what I see, would open the system up to XSS. Quote
flangefrog Posted April 28, 2014 Author Report Posted April 28, 2014 Cody, I don't think that's correct. For a URL index.php?foo=bar&baz=quz foo = bar baz = qux For a URL index.php?foo=bar&baz=qux foo = bar amp;baz=quz The ampersand should only be encoded when it's part of a param i.e. when you're passing a URL as a param. Refer to http://tools.ietf.org/html/rfc3986#section-2 I think instead of using HTML entity encoding, you should be using something like rawurlencode() which encodes the URL according to the RFC mentioned above. Simplepie may do this itself, it seems to at least escape the content (which is why Blesta was double encoding it) Quote
Cody Posted April 28, 2014 Report Posted April 28, 2014 Encoding is different than escaping. Don't have time to pull up the html spec, but this might help clarify: http://stackoverflow.com/questions/3705591/do-i-encode-ampersands-in-a-href. Quote
flangefrog Posted April 28, 2014 Author Report Posted April 28, 2014 Thanks for the link. I hadn't realised that the dev tools were decoding the html. However, looking at the raw ajax response, it returns this: index.php?_m=news&_a=viewnews&newsid=1339 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.