Skip to content

Do not replace special chars with HTML entities #14550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 6, 2025
Merged

Do not replace special chars with HTML entities #14550

merged 1 commit into from
Feb 6, 2025

Conversation

escopecz
Copy link
Member

@escopecz escopecz commented Feb 4, 2025
edited
Loading

Q A
Bug fix? (use the a.b branch) [x]
New feature/enhancement? (use the a.x branch) [ ]
Deprecations? [ ]
BC breaks? (use the c.x branch) [ ]
Automated tests included? [x]
Related user documentation PR URL mautic/mautic-documentation#...
Related developer documentation PR URL mautic/developer-documentation#...
Issue(s) addressed Fixes https://acquia.atlassian.net/browse/MAUT-11799

Description:

When searching for a contact via API with a where condition value with some special character like ' then it won't find such contact even if it exists. The problem is that we "clean" the values in

app/bundles/ApiBundle/Controller/FetchCommonApiController.php

which is then mutating the values with filter_var($value, FILTER_SANITIZE_SPECIAL_CHARS);:

https://github.com/mautic/mautic/blob/6.x/app/bundles/CoreBundle/Helper/InputHelper.php#L175

The PHP docs aren't describing what this does very well, but here's an explanation from GPT:

The FILTER_SANITIZE_SPECIAL_CHARS filter is useful for preventing Cross-Site Scripting (XSS) attacks by ensuring that special characters are safely encoded when outputting data to a webpage. This can help protect applications from malicious input that attempts to disrupt the integrity of the HTML.

Since these values from the where API condition aren't going to be visible in any UI we don't need to worry about XSS. Another security issue could be SQL injection but that is handled by Doctrine when setting the values as parameters to the query builder which is happening here:

https://github.com/mautic/mautic/blob/6.x/app/bundles/CoreBundle/Entity/CommonRepository.php#L1600

So from the security point of view we are OK and there is no need to encode characters into HTML entities.

Steps to test this PR:

  1. Open this PR on Gitpod or pull down for testing locally (see docs on testing PRs here)
  2. Create a contact with Email contac't2@mailtest.mautic.com.
  3. Search the contact using API endpoint https://mautic-cloud.ddev.site/api/contacts?start=0&orderBy=id&minimal=true&where[0][col]=email&where[0][expr]=like&where[0][val]=contac%27t% it should return the contact details but it is returning 0 contacts.

Other areas of Mautic that may be affected by the change:

  1. This will affect searching for all the entities via API. Not just contacts. As the change was done in a class used by the rest of the API controllers.

List of areas covered by the unit and/or functional tests:

  1. The functional test is checking that a contact with an ' in the first name can be found with API.

@escopecz
Merge pull request mautic#2327 from acquia/MAUT-11799
69f27d2 
MAUT-11799 Do not replace special chars with HTML entities
@escopecz escopecz added bug Issues or PR's relating to bugs API Anything related to the API unforking Used for PRs in the Acquia's unforking initiative code-review-needed PR's that require a code review before merging ready-to-test PR's that are ready to test labels Feb 4, 2025
@escopecz escopecz requested review from a team and rohitpavaskar and removed request for a team February 4, 2025 10:00
@codecov Codecov
Copy link

codecov bot commented Feb 4, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.04%. Comparing base (b94713f) to head (69f27d2).
Report is 53 commits behind head on 6.x.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff            @@
##                6.x   #14550   +/-   ##
=========================================
  Coverage     64.04%   64.04%           
  Complexity    34664    34664           
=========================================
  Files          2287     2287           
  Lines        103757   103757           
=========================================
  Hits          66446    66446           
  Misses        37311    37311
Files with missing lines Coverage Δ
.../ApiBundle/Controller/FetchCommonApiController.php 79.72% <100.00%> (ø)

rohitpavaskar
rohitpavaskar approved these changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@rohitpavaskar rohitpavaskar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @escopecz!

@escopecz escopecz added code-review-passed PRs which have passed code review pending-test-confirmation PR's that require one test before they can be merged and removed code-review-needed PR's that require a code review before merging ready-to-test PR's that are ready to test labels Feb 6, 2025
@escopecz escopecz requested review from a team, fedys and rahuld-dev and removed request for a team and rahuld-dev February 6, 2025 12:02
rahuld-dev
rahuld-dev approved these changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@rahuld-dev rahuld-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @escopecz
It is working as expected tested on my local env.
image

@rahuld-dev rahuld-dev added user-testing-passed PRs which have been successfully tested by the required number of people. and removed pending-test-confirmation PR's that require one test before they can be merged labels Feb 6, 2025
@escopecz escopecz added this to the 6.0.0-beta milestone Feb 6, 2025
@escopecz escopecz merged commit a407742 into mautic:6.x Feb 6, 2025
17 checks passed
@RCheesley RCheesley modified the milestones: 6.0.0-beta, 6.0.0-beta2 Mar 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fedys fedys Awaiting requested review from fedys fedys was automatically assigned from mautic/acquia-engineers

2 more reviewers

@rohitpavaskar rohitpavaskar rohitpavaskar approved these changes

@rahuld-dev rahuld-dev rahuld-dev approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
API Anything related to the API bug Issues or PR's relating to bugs code-review-passed PRs which have passed code review unforking Used for PRs in the Acquia's unforking initiative user-testing-passed PRs which have been successfully tested by the required number of people.
Projects
Open Source Fridays
Status: 🥳 Done
Milestone
6.0.0-beta2
Development

Successfully merging this pull request may close these issues.
4 participants
@escopecz @rohitpavaskar @rahuld-dev @RCheesley