Item9758: URLPARAM and newline="
" don't work for me

pencil
Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches:
Reported By: MatthewKoundakjian
Waiting For:
Last Change By: CrawfordCurrie
I was trying to debug why my comment template wasn't working right (I ported my webs over from twiki where it worked) and it seemed to boil down to this line in my UserCommentsTemplate
| %URLPARAM{"comment" newline="<br />" encode="safe"}% | 

It appeared the newlines were getting swapped to the requested string and then encoded. In the saved page, I was getting a lot of encoded greater-than and less-than symbols.

Looking at support in foswiki.org, I found the Question I copied below in the indented block.

MarcSCHAFFER (http://foswiki.org/Main/MarcSCHAEFER) posted this as http://foswiki.org/Support/Question627 ... I expect it is the problem I'm having, too. My apologies if it has already been put in as a task.

-- MatthewKoundakjian - 28 Sep 2010

Hi,

in http://trac.foswiki.org/browser/trunk/core/lib/Foswiki/Macros/URLPARAM.pm you can see in handleURLPARAMValue() that $newLine is expanded BEFORE doing the encoding.

How is then something like expected to work correctly?

Proposal diff which is tested and works on my installation.

@@ -4021,7 +4011,7 @@
         }
     }
     if ( defined $value ) {
-        # $value =~ s/\r?\n/$newLine/go if ( defined $newLine );
+        $value =~ s/\r?\n/$newLine/go if ( defined $newLine );
         if ( $encode =~ /^entit(y|ies)$/i ) {
             $value = entityEncode($value);
         }
@@ -4041,8 +4031,6 @@
                                               # entity encode ' " < > and %
             $value =~ s/([<>%'"])/'&#'.ord($1).';'/ge;
         }
-        # schaefer - 2010-08-26 - should be done here, else gets encoded.
-        $value =~ s/\r?\n/$newLine/go if ( defined $newLine );
     }
     unless ( defined $value ) {
         $value = $params->{default};

I looked in foswiki\lib\Foswiki.pm and found the
$value =~ s/\r?\n/$newLine/go if ( defined $newLine );
at line 4028 in my installation.

To get the behavior I want, moving that line to the bottom of the block within the
if (defined $value ) { 
works, but that could break a situation where the desired behavior is to swap a newline for something and then have that encoded.

-- MatthewKoundakjian - 28 Sep 2010

Note, too, that my use of the comment is in my own verison of the tasks database and that I usually want things encoded/escaped, so turning off encoding would make things worse for me.

-- MatthewKoundakjian - 28 Sep 2010

as silly as this is, here's what I put in place for now:
    if ( defined $value ) {
        $value =~ s/\r?\n/$newLine/go if ( defined $newLine and ! ($newLine=~/<br \/>/));
        if ( $encode =~ /^entit(y|ies)$/i ) {
            $value = entityEncode($value);
        }
        elsif ( $encode =~ /^quotes?$/i ) {
            $value =~
              s/\"/\\"/go;    # escape quotes with backslash (Bugs:Item3383 fix)
        }
        elsif ( $encode =~ /^(off|none)$/i ) {

            # no encoding
        }
        elsif ( $encode =~ /^url$/i ) {
            $value =~ s/\r*\n\r*/<br \/>/;    # Legacy
            $value = urlEncode($value);
        }
        else {                                # safe or default
                                              # entity encode ' " < > and %
            $value =~ s/([<>%'"])/'&#'.ord($1).';'/ge;
        }
        $value =~ s/\r?\n/$newLine/go if ( defined $newLine and ($newLine=~/<br \/>/));
    }

-- MatthewKoundakjian - 28 Sep 2010

I need to think carefully about the consequences of having newline unfiltered. We do not want to have a new security hole.

But for CommentPlugin the way Foswiki chose to handle things was a little tiny different than TWiki.

We actually use encode="none" in all URLPARAMs

The attack vector for CommentPlugin templates is the template topic itself and not the use of COMMENT.

All it takes to secure the URLPARAM in the UserCommentsTemplate is to enclose the template definitions in verbatim tags.

See all the distributed examples that come with CommentPlugin in Foswiki and you can quickly see how to address it in a simple and safe way.

-- KennethLavrsen - 29 Sep 2010

Kenneth.... I'm the last one who wants to open the barn door to attack.

I can see why you'd want to be able to filter the newline arg, as anything could be put in there and the code just does a search-and-replace with that string.

But I'm kind of stumped how to get what I want (stuff in a table) without the verbatim tag. Do we need a new attribute tag? NL2BR?

-- MatthewKoundakjian - 20 Oct 2010

I suspect that this is a No Action as of 1.2. CommentPlugin is redesigned as a REST handler and requires POST not GET. Crawford ... thoughts?

-- GeorgeClark - 06 Jan 2015

No thoughts because I don't know the results of anyone trying it. I don't have this set up as a test example and don't have time at the moment to muck around with it, so kicking it back to New state.

-- CrawfordCurrie - 26 Jan 2015

Having re-read this I can see that the original problem is addressed by using $percentBR$percent instead of <br />

No action.

-- CrawfordCurrie - 15 Jun 2015
 

ItemTemplate edit

Summary URLPARAM and newline="
" don't work for me
ReportedBy MatthewKoundakjian
Codebase 1.0.10
SVN Range
AppliesTo Engine
Component
Priority Normal
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release01x01Checkins
Topic revision: r6 - 15 Jun 2015, CrawfordCurrie
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy