Development

#509 ([PATCH] Prevent double decoration in output escaping)

You must first sign up to be able to contribute.

Ticket #509 (closed defect: wontfix)

Opened 6 years ago

Last modified 2 years ago

[PATCH] Prevent double decoration in output escaping

Reported by: Mike Squire Assigned to:
Priority: major Milestone:
Component: view Version: 1.0.11
Keywords: patch Cc: mike@somosis.co.uk
Qualification: Design decision

Description

When passing values from an action template (which have already been escaped) to a component or partial, they can get escaped again with undesirable consequences (unless they are passed by $sf_data->getRaw()). This patch catches values that have already been decorated with an escaper and prevents them being decorated twice: 

Index: lib/view/escaper/sfOutputEscaper.class.php
===================================================================
--- lib/view/escaper/sfOutputEscaper.class.php  (revision 1319)
+++ lib/view/escaper/sfOutputEscaper.class.php  (working copy)
@@ -92,8 +92,17 @@

     if (is_object($value))
     {
-      if ($value instanceof Traversable)
+      if ($value instanceof sfOutputEscaper)
       {
+        // avoid double decoration when passing values from action template to component/partial
+        $copy = clone $value;
+
+        $copy->escapingMethod = $escapingMethod;
+
+        return $copy;
+      }
+      elseif ($value instanceof Traversable)
+      {
         return new sfOutputEscaperIteratorDecorator($escapingMethod, $value);
       }
       else

Change History

05/05/06 14:51:59 changed by fabien

  • status changed from new to closed.
  • resolution set to fixed.

in r1321.

08/23/06 12:25:52 changed by francois

  • status changed from closed to reopened.
  • resolution deleted.

I still have double escaping issues with partial inclusions.

08/23/06 15:07:02 changed by francois

The patch works only for objects. Scalars and arrays stille get double escaped.

08/23/06 16:08:52 changed by fabien

  • milestone changed from 0.6.3 to 1.0.0.

08/23/06 17:58:06 changed by francois

The only way to prevent double escaping for objects in partials is to use the modified accessors: 

$sf_data->getRaw('question')->getTitle();

is double escaped, but 

$question->getTitle(ESC_RAW);

is escaped only once.

As explained above, the problem remains for strings.

02/21/07 14:48:57 changed by francois

  • component set to view.
  • milestone deleted.

09/05/07 18:37:19 changed by the-pulse

  • cc set to mike@somosis.co.uk.
  • keywords set to patch.
  • version changed from 0.7.X to 1.0.6.
  • milestone set to 1.0.7.

Multiple usage of partials/components leads to multiple decoration, not only double decoration. Therfore, all existing decorators have to be stripped. The following Patch solves the issue for me: 

--- sfOutputEscaper.class.php.orig  2007-09-05 20:06:26.000000000 +0200
+++ sfOutputEscaper.class.php 2007-09-05 20:06:56.000000000 +0200
@@ -98,16 +98,14 @@

     if (is_object($value))
     {
-      if ($value instanceof sfOutputEscaper)
+      while ($value instanceof sfOutputEscaper)
       {
-        // avoid double decoration when passing values from action template to component/partial
-        $copy = clone $value;
-
-        $copy->escapingMethod = $escapingMethod;
-
-        return $copy;
+        // avoid multiple decoration when passing values from
+        // action template to component/partial
+        $value = $value->getRawValue();
       }
-      elseif ($value instanceof Traversable)
+
+      if ($value instanceof Traversable)
       {
         return new sfOutputEscaperIteratorDecorator($escapingMethod, $value);
       }

Be aware that this modification might lead to insecure applications since users might have used getRaw() to circumvent the problem. This should be pointed out in the release notes.

Best regards

Sven Lauritzen

09/05/07 18:45:10 changed by fabien

  • milestone deleted.

09/11/07 18:03:41 changed by the-pulse

  • version changed from 1.0.6 to 1.0.7.
  • qualification set to Unreviewed.

I've recognized that the previous patch lead to arrays decorated with the sfObjectDecorater in partials. They where no more traversable nor accessible. I've reworked the patch. The resulting code is easier to understand and easier to refactore. If include_partial stops decorating the passed variables, the while-loop may simply be removed. Anyhow, it may persist. 

--- sfOutputEscaper.class.php.orig  2007-09-11 19:50:04.000000000 +0200
+++ sfOutputEscaper.class.php 2007-09-11 19:49:38.000000000 +0200
@@ -80,6 +80,13 @@
    */
   public static function escape($escapingMethod, $value)
   {
+    // avoid multiple decoration when passing values from
+    // action template to component/partial
+    while ($value instanceof sfOutputEscaper)
+    {
+      $value = $value->getRawValue();
+    }
+
     if (is_null($value) || ($value === false) || ($escapingMethod === 'esc_raw'))   
     {
       return $value;
@@ -98,16 +105,7 @@
       
     if (is_object($value))
     {
-      if ($value instanceof sfOutputEscaper)
-      { 
-        // avoid double decoration when passing values from action template to component/partial
-        $copy = clone $value;
-
-        $copy->escapingMethod = $escapingMethod;
-      
-        return $copy;
-      }
-      elseif ($value instanceof Traversable)
+      if ($value instanceof Traversable)
       {
         return new sfOutputEscaperIteratorDecorator($escapingMethod, $value);
       }

Sven Lauritzen

10/01/07 08:05:50 changed by dwhittle

  • qualification set to Patch rejected, quality issue.

01/26/08 11:10:25 changed by cristianbaciu

  • version changed from 1.0.7 to 1.0.11.

01/26/08 11:11:47 changed by cristianbaciu

  • milestone set to 1.0.12.

01/28/08 09:08:52 changed by francois

  • milestone deleted.

cristianbaciu: Please leave it to the core team to decide what goes into the next release or not. The current status of this ticket is that the patch is not good enough to be tested by the core team.

06/23/08 05:12:07 changed by dwhittle

  • qualification changed from Patch rejected, quality issue to Design decision.
  • milestone set to 1.0.17.

06/24/08 12:07:34 changed by fabien

  • milestone deleted.

05/12/10 09:39:28 changed by fabien

  • status changed from reopened to closed.
  • resolution set to wontfix.

That's something that cannot be fixed cleanly in symfony 1. This has been taken into account for Symfony 2.