[#MDL-20725] Double escaping of OPTGROUP labels in choose_from_menu_nested() - Moodle Tracker

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.9.6
Fix Version/s: None
Component/s: Libraries
Labels:
None

Difficulty:
Easy
Affected Branches:
MOODLE_19_STABLE

Description

In lib/weblib.php around line 1011, inside function choose_from_menu_nested(), there is the following:

$output .= ' <optgroup label="'. s(format_string($section)) .'">'."\n";

The double escaping of the $section string is causing optgroup labels to display HTML codes such as "&"

To reproduce the issue, simply put this code in a test page:

<?php
require_once 'config.php';

$options['One & two'][1] = 'One';
$options['One & two'][2] = 'Two';
print choose_from_menu_nested($options, 'number');
?>

More Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

20091130_mdl_20725.patch

30/Nov/09 1:48 PM

0.6 kB

Rossiani Wijaya

Screen shot 2009-12-12 at 3.12.52 AM.png

13 kB

12/Dec/09 4:31 PM

Issue Links

This issue has a non-specific relationship to:
MDL-21126	Icon madness in Main Menu block

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Rossiani Wijaya added a comment - 24/Nov/09 2:01 PM

Creating patch to fix the issue.

the quickfix for this is to remove the format_string function.

replace this:
$output .= ' <optgroup label="'. s(format_string($section)) .'">'."\n";
To:
$output .= ' <optgroup label="'. s($section) .'">'."\n";

Show

Rossiani Wijaya added a comment - 24/Nov/09 2:01 PM Creating patch to fix the issue. the quickfix for this is to remove the format_string function. replace this: $output .= ' <optgroup label="'. s(format_string($section)) .'">'."\n"; To: $output .= ' <optgroup label="'. s($section) .'">'."\n";

Hide

Permalink

Sam Hemelryk added a comment - 25/Nov/09 10:08 AM

Hi Rossi,
In this circumstance we should use format_string() rather than s().
The reason for this is that format_string() cleans a string of all unwanted and potentially hazardous content, and in this case $section is potentially entered by the user.
I would recommend changing to:
$output .= ' <optgroup label="'. format_string($section) .'">'."\n";

Show

Sam Hemelryk added a comment - 25/Nov/09 10:08 AM Hi Rossi, In this circumstance we should use format_string() rather than s(). The reason for this is that format_string() cleans a string of all unwanted and potentially hazardous content, and in this case $section is potentially entered by the user. I would recommend changing to: $output .= ' <optgroup label="'. format_string($section) .'">'."\n";

Hide

Permalink

Rossiani Wijaya added a comment - 30/Nov/09 1:48 PM

Thanks Sam.

patch updated.

Show

Rossiani Wijaya added a comment - 30/Nov/09 1:48 PM Thanks Sam. patch updated.

Hide

Permalink

Sam Hemelryk added a comment - 03/Dec/09 9:37 AM

Awesome thanks Rossi, +1 for commiting that now

Show

Sam Hemelryk added a comment - 03/Dec/09 9:37 AM Awesome thanks Rossi, +1 for commiting that now

Hide

Permalink

Rossiani Wijaya added a comment - 03/Dec/09 10:14 AM

The patch is created for version 1.9 and the issue has been resolved in HEAD.

Show

Rossiani Wijaya added a comment - 03/Dec/09 10:14 AM The patch is created for version 1.9 and the issue has been resolved in HEAD.

Hide

Permalink

Petr Škoda (skodak) added a comment - 03/Dec/09 3:47 PM

reopening, this does not seem correct to me

1/ the format_string()'s main purpose is to convert multilang strings to html, the XSS cleaning works for html texts only, not for individual parts of other html tags (such as label here)
2/ the s() is used to get rid of "' and <> - in this particular case strings with " will break pretty badly and in fact if they come from student it would cause XSS

So we have to use s(), we do not support html tags there - strip_tags() should deal with them. Now the question is do we want multilag support there? I suppose we need it there for BC reasons, so my +1 for:

s(strip_tags(format_string($section)))

Show

Petr Škoda (skodak) added a comment - 03/Dec/09 3:47 PM reopening, this does not seem correct to me 1/ the format_string()'s main purpose is to convert multilang strings to html, the XSS cleaning works for html texts only, not for individual parts of other html tags (such as label here) 2/ the s() is used to get rid of "' and <> - in this particular case strings with " will break pretty badly and in fact if they come from student it would cause XSS So we have to use s(), we do not support html tags there - strip_tags() should deal with them. Now the question is do we want multilag support there? I suppose we need it there for BC reasons, so my +1 for:

s(strip_tags(format_string($section)))

Hide

Permalink

Rossiani Wijaya added a comment - 08/Dec/09 9:33 AM

Thanks Sam for fixing the issue according to petr's suggestion and committed to 1.9 Stable.

Show

Rossiani Wijaya added a comment - 08/Dec/09 9:33 AM Thanks Sam for fixing the issue according to petr's suggestion and committed to 1.9 Stable.

Hide

Permalink

Matthew N added a comment - 12/Dec/09 4:31 PM

This commit by Rossiani caused a regression with the site main menu block in edit mode. It now displays the resource's icon between all of the edit buttons. See the screenshot to see what I mean.

Commit: http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.152&r2=1.970.2.153&pathrev=MOODLE_19_WEEKLY&sortby=date

The hunk in that commit which modified print_side_block cause the regression. It seems like only the first hunk was supposed to be committed when comparing to Rossiani's patch in this issue. The other changes seem mostly unrelated. I think someone just needs to backout all the hunks except for the first.

Show

Matthew N added a comment - 12/Dec/09 4:31 PM This commit by Rossiani caused a regression with the site main menu block in edit mode. It now displays the resource's icon between all of the edit buttons. See the screenshot to see what I mean. Commit: http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.152&r2=1.970.2.153&pathrev=MOODLE_19_WEEKLY&sortby=date The hunk in that commit which modified print_side_block cause the regression. It seems like only the first hunk was supposed to be committed when comparing to Rossiani's patch in this issue. The other changes seem mostly unrelated. I think someone just needs to backout all the hunks except for the first.

Hide

Permalink

Rossiani Wijaya added a comment - 14/Dec/09 9:35 AM

Hi Matthew,

thank you for testing the issue. The weblib.php i committed was not the latest version. Sam committed file would be the latest version for the issue. Please update the your version and let me know if you still having the issue.

as for the other changes, it is used to fix other issue thats not related to this tracker.

Show

Rossiani Wijaya added a comment - 14/Dec/09 9:35 AM Hi Matthew, thank you for testing the issue. The weblib.php i committed was not the latest version. Sam committed file would be the latest version for the issue. Please update the your version and let me know if you still having the issue. as for the other changes, it is used to fix other issue thats not related to this tracker.

Hide

Permalink

Matthew N added a comment - 14/Dec/09 10:02 AM

Hello Rossiani,

I was using the weekly build from Dec. 9, 2009 so it includes Sam's commit but my issue is not related to this bug but with the other changes (to print_side_block) that you committed with the patch for this issue.

Have you tried to reproduce the issue for yourself by editing the site main menu? When I revert the additional changes committed and leave only the one related to this issue then the bug goes away.

Do you have an issue number for the print_side_block changes so I can comment there instead as that code is the part that causes the regression.

Thanks

Show

Matthew N added a comment - 14/Dec/09 10:02 AM Hello Rossiani, I was using the weekly build from Dec. 9, 2009 so it includes Sam's commit but my issue is not related to this bug but with the other changes (to print_side_block) that you committed with the patch for this issue. Have you tried to reproduce the issue for yourself by editing the site main menu? When I revert the additional changes committed and leave only the one related to this issue then the bug goes away. Do you have an issue number for the print_side_block changes so I can comment there instead as that code is the part that causes the regression. Thanks

Hide

Permalink

Rossiani Wijaya added a comment - 14/Dec/09 3:15 PM

Hi Matthew,

the issue number for print_side_block change is ~~MDL-6820~~. I submitted the patch to address the issue.

please take a look.

Thanks.

Show

Rossiani Wijaya added a comment - 14/Dec/09 3:15 PM Hi Matthew, the issue number for print_side_block change is ~~MDL-6820~~. I submitted the patch to address the issue. please take a look. Thanks.

Hide

Permalink

Sam Hemelryk added a comment - 16/Dec/09 10:30 AM

Have linked to an issue that I created specifically for the icon madness. Thank you for spotting that Matthew

Show

Sam Hemelryk added a comment - 16/Dec/09 10:30 AM Have linked to an issue that I created specifically for the icon madness. Thank you for spotting that Matthew

People

Assignee:

Rossiani Wijaya

Reporter:

Francois Marier

Tester:

Nobody

Participants:

Francois Marier, Matthew N, Petr Škoda (skodak), Rossiani Wijaya, Sam Hemelryk

Vote (0)

Watch (2)

Dates

Created:

03/Nov/09 11:44 AM

Updated:

13/Dec/10 6:38 PM

Resolved:

08/Dec/09 9:33 AM