Skip html encoding rich-text fields #12841
Conversation
|
@colemanw @totten @seamuslee001 @mlutfy this works to fix the issue. However, I just want to cover off the security issues before we merge. Performance - ideally once we have finalised some caching discussion we would store this in a cache so Redis or Memcache etc can be used. However, in the meantime this should mean only one extra query per process as it is on a singleton property. Security The only thing that strikes me about the custom fields compared to the existing fields is that none of the existing fields are likely to be exposed to front end users. However, to create a new contact or contribution, other than using an existing form - which should be unchanged - the user would need Contact.create or Contribution.create permission - which seems likely to only be given to 'trusted users'. I'm about 50-50 on whether we should add an extra permission 'save html to database' and at least in this place in the code require it for any skipped fields. |
|
Also note that I couldn't just add script tags & have them save
|
|
Also note that we use (at least in the layout extension) the smarty |
|
Any reply I give to that is going to take us into a whole different scope of conversation but yes - good that use purify in the extension! |
|
@eileenmcnaughton i think that is the IDS there kicking in, however as Sean pointed out that isn't a solution its self. the problem is that this list of fields doesn't know what entity it is for so any field that matches custom_x would be skipped but given its custom fields they will only ever belong to one entity so i think this is probably ok but adding to this array always makes me nervous |
|
Just looking at this patch, without getting sidetracked onto other related topics, I think this is safe to merge, because it mirrors the behavior in the DAO. Saving these custom fields via DAO will not escape them, so now the api functions the same way. |
|
@colemanw right - be people can access the api from js whereas they have to go through some form or other to get to the DAO |
|
Well the js api enforces |
|
I'd like @totten to comment |
eileenmcnaughton
added
the
sig:extension support
I'm trying to reconcile myself to the interface change. Some ways:
(I haven't sent the pings -- would like to hear about |
|
I would argue that scenario 1 is the case: it is fundamentally broken as-is and there is no workaround that doesn't involve circumventing the api with a direct db query or doing something complex like implementing a custom api wrapper (I'm not even sure an api wrapper could fix this encoding it happens at such a low level). @totten you mentioned an android app - is there an android dev that mentioned this issue? I filed it because of the Layout extension. |
|
(b) No one's pushing the point now. (It's too early in the process for anyone to get potentially bitten.) I raised an Android app as a hypothetical. (a) 👍 Your statement that the old behavior is fundamentally broken checks out (IMHO). In playing around with a read/write cycle of the API, I wind up with munged data that no longer displays properly in the main UI. |
|
I feel like this is resolved now per the last 2 comments - merging |
e.g try editing the prospect field 'Next Step' on a contact locally in a profile created by the contact summary editor This ports this PR civicrm#12841 in order to save html encoded fields like 'Next Steps' on the prospect set correctly. I am not sure if this will be the final patch as I have added comments to the PR to discuss security implications (if any) - however, I'm not concerned about those in our case as .... firewall. Bug: T204179 Change-Id: Id0025eb4a3db815731624c3a052dd3069f21c780
Overview
Fixes civicrm/org.civicrm.contactlayout#21
Before
Rich text custom fields saved with api were being escaped
After
Html is preserved as-is
Comments
Ugh.