Skip to content
This repository has been archived by the owner on Jan 21, 2020. It is now read-only.

ApplicationConfig unescaped #116

Open
mamont77 opened this issue Jul 14, 2013 · 9 comments
Open

ApplicationConfig unescaped #116

mamont77 opened this issue Jul 14, 2013 · 9 comments

Comments

@mamont77
Copy link

Hi.
Broken page because the code is displayed unescaped.
It seems there is a problem in ConfigCollector::unserializeArray().

SceenSnap
@Ocramius
Copy link
Member

@mamont77 are you running the latest version? Escaping should be applied there...

@mamont77
Copy link
Author

@Ocramius, yes. I'am using latest master.

@Ocramius
Copy link
Member

Could you please paste the HTML generated by the toolbar? I didn't find the location where the output would not be correctly escaped..

@mamont77
Copy link
Author

Sorry, I could not attach a file, unsupported format.
Temporarily added to my repository.
https://github.com/mamont77/fcontrol/blob/master/temp.html

@Ocramius
Copy link
Member

@mamont77 if I get this correctly, it's a problem in Zend\Debug itself.

The problems are at https://github.com/mamont77/fcontrol/blob/master/temp.html#L367, right?

If so, then this issue should be opened against Zend\Debug with a small test array (nothing fancy, just those weird keys).

@weierophinney
Copy link
Member

@Ocramius I'm not convinced by your analysis. Zend\Debug\Debug::dump() does the following:

  • If xdebug is detected, it simply wraps the output in <pre> tags.
  • If not, it uses the composed Zend\Escaper\Escaper instance, and calls escapeHtml() to escape the output, before wrapping in <pre> tags.

Based on the configuration dumped, I'd argue it's a problem with Escaper, to be honest -- there are clearly < and > characters not being escaped.

@Ocramius
Copy link
Member

@weierophinney no analysis: I just stopped after finding out that it's not ZDT ;)

@weierophinney
Copy link
Member

Odd -- I took the relevant parts of the configuration:

  • the console routes
  • the super messenger configuration
  • the factories that were defined as inline anonymous functions

and wrote a test to see if the values were being escaped. They were. In fact, all quotes, all angle brackets, and a number of other characters were being escaped for HTML.

This makes me wonder if it's either (a) browser-specific, or (b) an issue with how the JS library is handling the data.

@weierophinney weierophinney mentioned this issue Dec 31, 2019
Closed
@weierophinney
Copy link
Member

This repository has been closed and moved to laminas/laminas-developer-tools; a new issue has been opened at laminas/laminas-developer-tools#20.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@weierophinney @Ocramius @mamont77