Fix the HTML encoding when uploading a folder in FF when using french…#460

nickvergessen · 2016-07-20T11:04:43Z

… l10n

Fix #459

Please review @tflidd

… l10n

tflidd · 2016-07-20T11:29:43Z

That was a quick fix. Thank you, it works perfectly.
👍

LukasReschke · 2016-07-20T11:52:54Z

apps/files/js/file-upload.js

+								fileName: escapeHTML(data.files[0].name),
 								message: data.errorThrown
-							});
+							}, undefined, {escape: false});


I got to say that I consider this a kinda risky chance. While data.errorThrown may right now not echo back user controlled input this has still the potential to do bad things in the future… 🙈

Can we do that at

server/apps/files/js/file-upload.js

Lines 357 to 360 in 45c99c2

data.errorThrown = t('files',

'Unable to upload {filename} as it is a directory or has 0 bytes',

{filename: file.name}

);

? Then we prevent the double escaping and don't introduce a XSS by mistake. :)

The file name is already escaped there, it is also escaped here.
The problem is, that the actual translation contains the ', and when using that string here as a parameter in the translation, it is html encoded and displayes as &#...;. So not sure how this could be fixed on the other place, if this place breaks it.

Simply unescape

server/apps/files/js/file-upload.js

Lines 357 to 360 in 45c99c2

data.errorThrown = t('files',

'Unable to upload {filename} as it is a directory or has 0 bytes',

{filename: file.name}

);

? Then the escaping here will take care of it, or do I miss something?

Aha… Gotcha now… Let me think…

unescape what? the unescape option only affects parameters, but the parameter is not the problem. Also the value in data.errorThrown here is not a problem, it's still what we would display in the UI. It's the t() method here, which takes the translated string as an argument and thereby s/'/&#..; the first translation. TO avoid this I removed escaping from all parameters and only escaped the file name, since the string here is only translator controlled, not user controlled, we can and have to trust it anyway....

Ok. You're right. This is also properly escaped all since we don't use showHTML. (so even when passing HTML strings this shouldn't be rendered as HTML anyways)

LukasReschke · 2016-07-20T12:30:56Z

👍

MorrisJobke · 2016-07-20T14:21:55Z

@nickvergessen @LukasReschke Backport?

Fix the HTML encoding when uploading a folder in FF when using french…

45c99c2

… l10n

nickvergessen added bug 3. to review Waiting for reviews feature: files labels Jul 20, 2016

nickvergessen added this to the Nextcloud Next milestone Jul 20, 2016

LukasReschke reviewed Jul 20, 2016
View reviewed changes

LukasReschke merged commit b37e1ed into master Jul 20, 2016

LukasReschke deleted the issue-459-html-decoded-error-message-when-uploading-folder branch July 20, 2016 12:31

MorrisJobke added the backport-request label Jul 20, 2016

nickvergessen mentioned this pull request Jul 21, 2016

Fix the HTML encoding when uploading a folder in FF when using french… #491

Merged

MorrisJobke removed the backport-request label Jul 25, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix the HTML encoding when uploading a folder in FF when using french…#460