In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!

Viewing Issue Simple Details [ Jump to Notes ] [ Wiki ]

[ View Advanced ] [ Issue History ] [ Print ]

ID

Category

Type

Reproducibility

Date Submitted

Last Update

0000530

[In-Portal CMS] Front End

feature request

N/A

2010-01-05 04:59

2010-07-22 15:06

Reporter

alex

View Status

public

Project Name

In-Portal CMS

Assigned To

alex

Developer

Priority

normal

Resolution

fixed

Fixed in Version

5.1.0-B1

Status

closed

Product Version

5.0.2-B2

Target Version

5.1.0

Time Estimate

No estimate

Summary

0000530: Improvements of "m_Get" and "m_GetConfig" tags

Description

Tag "m_Get" is used to retrieve any variable from browser (get, post, cookie). This tag has internal parameter named "htmlchars", which applies "htmlspecialchars" function on it's result. This functionality is redundant, since we have "html_escape" parameter, that is processed for each tag, that does the same. I propose to remove "htmlchars" parameter processing.

There is another issue with "m_Get" tag. As security measure we apply "htmlspecialchars" by default on all browser variables, that are used on front-end (this way all type of injections are prevented). In case if developer wan't to output actual variable's value without "htmlspecialchars" function applied to it, then there is no way. I propose to add "no_html_escape" parameter that will do that for "m_Get" tag.

Tag "m_GetConfig" is used to retrieve configuration variable's value by given name. Also "escape" parameter is processed internally, that does the same as global tag parameter "js_escape". So I propose to remove it too.

Additional Information

Tags

No tags attached.

Reference

http://groups.google.com/group/in-portal-dev/browse_thread/thread/27bfe06312f7eaec

Change Log Message

Estimate Points

0

main_processor_fix.patch [^] (1,016 bytes) 2010-01-05 04:59 [Show Content]

Index: main_processor.php
===================================================================
--- main_processor.php	(revision 13010)
+++ main_processor.php	(working copy)
@@ -345,8 +345,15 @@
 	 */
 	function Get($params)
 	{
-		$ret = $this->Application->GetVar($this->SelectParam($params, 'name,var,param'), '');
-		return getArrayValue($params, 'htmlchars') ? htmlspecialchars($ret) : $ret;
+		$name = $this->SelectParam($params, 'name,var,param');
+
+		$ret = $this->Application->GetVar($name, '');
+
+		if (array_key_exists('no_html_escape', $params) && $params['no_html_escape']) {
+			return unhtmlentities($ret);
+		}
+
+		return $ret;
 	}
 
 	/**
@@ -374,9 +381,8 @@
 	function GetConfig($params)
 	{
 		$config_name = $this->SelectParam($params, 'name,var');
-		$ret = $this->Application->ConfigValue($config_name);
-		if( getArrayValue($params, 'escape') ) $ret = addslashes($ret);
-		return $ret;
+		
+		return $this->Application->ConfigValue($config_name);
 	}
 
 	function ConfigEquals($params)

Relationships [ Relation Graph ] [ Dependency Graph ]

parent of

closed (5.2.0)

Special Characters in Website Name break Admin Menu

Notes
(0001915) Dmitry (manager) 2010-04-24 23:39	Tested good - please commit

(0001920) alex (manager) 2010-04-25 07:09	Fix committed to 5.1.x branch. Commit Message: Fixes 0000530: Improvements of "m_Get" and "m_GetConfig" tags

(0002561) alex (manager) 2010-07-22 15:06	Closing, since 5.1.0 release has been released.

Related Changesets
In-Portal CMS: 5.1.x r13395 Timestamp: 2010-04-25 07:09:14 Author: alex [ Details ] [ Diff ]	Fixes 0000530: Improvements of "m_Get" and "m_GetConfig" tags
	mod - /in-portal/branches/5.1.x/core/kernel/processors/main_processor.php		[ Diff ] [ File ]

Issue History
Date Modified	Username	Field	Change
2012-04-26 02:37	alex	Relationship added	parent of 0001266
2010-07-22 15:06	alex	Note Added: 0002561
2010-07-22 15:06	alex	Status	resolved => closed
2010-04-25 07:09	alex	Note Added: 0001920
2010-04-25 07:09	alex	Status	reviewed and tested => resolved
2010-04-25 07:09	alex	Fixed in Version	=> 5.1.0-B1
2010-04-25 07:09	alex	Resolution	open => fixed
2010-04-25 07:09	alex	Assigned To	!COMMUNITY => alex
2010-04-25 07:09	alex	Changeset attached	5.1.x r13395
2010-04-24 23:39	Dmitry	Time Estimate Removed	1 =>
2010-04-24 23:39	Dmitry	Note Added: 0001915
2010-04-24 23:39	Dmitry	Status	needs testing => reviewed and tested
2010-02-27 04:08	alex	Developer	=> alex
2010-01-12 11:16	alex	Time Estimate Added	1
2010-01-12 10:32	alex	Target Version	Icebox => 5.1.0
2010-01-05 05:00	alex	Assigned To	=> !COMMUNITY
2010-01-05 05:00	alex	Status	active => needs testing
2010-01-05 05:00	alex	Reference	=> http://groups.google.com/group/in-portal-dev/browse_thread/thread/27bfe06312f7eaec
2010-01-05 05:00	alex	Target Version	=> Icebox
2010-01-05 04:59	alex	New Issue
2010-01-05 04:59	alex	File Added: main_processor_fix.patch

Web Development by Intechnic

In-Portal Open Source CMS

In-Portal Open Source CMS

Copyright © 2000 - 2009 MantisBT Group