Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix the HTML encoding when uploading a folder in FF when using french… #460

Merged
merged 1 commit into from
Jul 20, 2016
Merged

Fix the HTML encoding when uploading a folder in FF when using french… #460

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions apps/files/js/file-upload.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -474,9 +474,9 @@ OC.Upload = {
} else {
// HTTP connection problem
var message = t('files', 'Error uploading file "{fileName}": {message}', {
fileName: data.files[0].name,
fileName: escapeHTML(data.files[0].name),
message: data.errorThrown
});
}, undefined, {escape: false});
Copy link
Member

@LukasReschke LukasReschke Jul 20, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I got to say that I consider this a kinda risky chance. While data.errorThrown may right now not echo back user controlled input this has still the potential to do bad things in the future… 🙈

Copy link
Member

@LukasReschke LukasReschke Jul 20, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we do that at

server/apps/files/js/file-upload.js

Lines 357 to 360 in 45c99c2

data.errorThrown = t('files',
'Unable to upload {filename} as it is a directory or has 0 bytes',
{filename: file.name}
);
? Then we prevent the double escaping and don't introduce a XSS by mistake. :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The file name is already escaped there, it is also escaped here.
The problem is, that the actual translation contains the ', and when using that string here as a parameter in the translation, it is html encoded and displayes as &#...;. So not sure how this could be fixed on the other place, if this place breaks it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simply unescape

server/apps/files/js/file-upload.js

Lines 357 to 360 in 45c99c2

data.errorThrown = t('files',
'Unable to upload {filename} as it is a directory or has 0 bytes',
{filename: file.name}
);
? Then the escaping here will take care of it, or do I miss something?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aha… Gotcha now… Let me think…

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unescape what? the unescape option only affects parameters, but the parameter is not the problem. Also the value in data.errorThrown here is not a problem, it's still what we would display in the UI. It's the t() method here, which takes the translated string as an argument and thereby s/'/&#..; the first translation. TO avoid this I removed escaping from all parameters and only escaped the file name, since the string here is only translator controlled, not user controlled, we can and have to trust it anyway....

Copy link
Member

@LukasReschke LukasReschke Jul 20, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. You're right. This is also properly escaped all since we don't use showHTML. (so even when passing HTML strings this shouldn't be rendered as HTML anyways)

OC.Notification.show(message, {timeout: 0, type: 'error'});
if (data.result) {
var result = JSON.parse(data.result);
Expand Down
4 changes: 2 additions & 2 deletions core/js/js.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1127,7 +1127,7 @@ OC.Notification={
*
* @param {string} text Message to display
* @param {Object} [options] options
* @param {string] [options.type] notification type
* @param {string} [options.type] notification type
* @param {int} [options.timeout=0] timeout value, defaults to 0 (permanent)
* @return {jQuery} jQuery element for notification row
*/
Expand All @@ -1143,7 +1143,7 @@ OC.Notification={
* @param {array} [options] options array
* @param {int} [options.timeout=7] timeout in seconds, if this is 0 it will show the message permanently
* @param {boolean} [options.isHTML=false] an indicator for HTML notifications (true) or text (false)
* @param {string] [options.type] notification type
* @param {string} [options.type] notification type
*/
showTemporary: function(text, options) {
var self = this;
Expand Down