Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ApplicationConfig unescaped #20

Closed
weierophinney opened this issue Dec 31, 2019 · 9 comments
Closed

ApplicationConfig unescaped #20

weierophinney opened this issue Dec 31, 2019 · 9 comments

Comments

@weierophinney
Copy link
Member

Hi.
Broken page because the code is displayed unescaped.
It seems there is a problem in ConfigCollector::unserializeArray().

SceenSnap

Originally posted by @mamont77 at zendframework/zend-developer-tools#116
@weierophinney
Copy link
Member Author

@mamont77 are you running the latest version? Escaping should be applied there...

Originally posted by @Ocramius at zendframework/zend-developer-tools#116 (comment)

@weierophinney
Copy link
Member Author

@Ocramius, yes. I'am using latest master.

Originally posted by @mamont77 at zendframework/zend-developer-tools#116 (comment)

@weierophinney
Copy link
Member Author

Could you please paste the HTML generated by the toolbar? I didn't find the location where the output would not be correctly escaped..

Originally posted by @Ocramius at zendframework/zend-developer-tools#116 (comment)

@weierophinney
Copy link
Member Author

Sorry, I could not attach a file, unsupported format.
Temporarily added to my repository.
https://github.com/mamont77/fcontrol/blob/master/temp.html

Originally posted by @mamont77 at zendframework/zend-developer-tools#116 (comment)

@weierophinney
Copy link
Member Author

@mamont77 if I get this correctly, it's a problem in Zend\Debug itself.

The problems are at https://github.com/mamont77/fcontrol/blob/master/temp.html#L367, right?

If so, then this issue should be opened against Zend\Debug with a small test array (nothing fancy, just those weird keys).

Originally posted by @Ocramius at zendframework/zend-developer-tools#116 (comment)

@weierophinney
Copy link
Member Author

@Ocramius I'm not convinced by your analysis. Zend\Debug\Debug::dump() does the following:

  • If xdebug is detected, it simply wraps the output in <pre> tags.
  • If not, it uses the composed Zend\Escaper\Escaper instance, and calls escapeHtml() to escape the output, before wrapping in <pre> tags.

Based on the configuration dumped, I'd argue it's a problem with Escaper, to be honest -- there are clearly < and > characters not being escaped.

Originally posted by @weierophinney at zendframework/zend-developer-tools#116 (comment)

@weierophinney
Copy link
Member Author

@weierophinney no analysis: I just stopped after finding out that it's not ZDT ;)

Originally posted by @Ocramius at zendframework/zend-developer-tools#116 (comment)

@weierophinney
Copy link
Member Author

Odd -- I took the relevant parts of the configuration:

  • the console routes
  • the super messenger configuration
  • the factories that were defined as inline anonymous functions

and wrote a test to see if the values were being escaped. They were. In fact, all quotes, all angle brackets, and a number of other characters were being escaped for HTML.

This makes me wonder if it's either (a) browser-specific, or (b) an issue with how the JS library is handling the data.

Originally posted by @weierophinney at zendframework/zend-developer-tools#116 (comment)

@weierophinney weierophinney mentioned this issue Dec 31, 2019
Open
@samsonasik
Copy link
Member

Escaped contents should already handled in laminas-developer-tools ^1.3.1 || ^2.0.2. If you found the problem persist, please re-create issue.

Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weierophinney @samsonasik