From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH] connscheduler.cgi: Remove cleanhtml command from Remark Date: Thu, 07 Mar 2024 14:19:01 +0100 Message-ID: <576dbd1b-1b4f-4fdc-92c7-8300c7580f5f@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5290701360039822179==" List-Id: --===============5290701360039822179== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 07/03/2024 12:18, Adolf Belka wrote: > Hi Michael, > > I think I know how to solve the problem. > > I tested out using HTML::Entities::encode_entities in a very simple Perl pr= ogram and found I got the same type of entity encoding as in the WUI CGI page= s. > > However, if I treated the string of characters as utf8 then the HTML::Entit= ies::encode_entities gave the results expected. > > So I need to figure out how to treat the remark strings as utf8 and hopeful= ly that should fix the problem. At least I have a view of a path forward on t= his issue now, that will keep the protection of the cleanhtml command while a= lso allowing characters with diacritical marks, plus special characters such = as the Cyrillic alphabet and also things like the german eszet that currently= all get mangled. > > Will let you know how I get on. > I got it to work. I used the dns.cgi page with the cleanhtml line still in it= . I then ran decode("UTF-8", "Remark string") before running the cleanhtml co= mmand on the same string. I entered =C3=9F =D0=A4 =D0=A7 < > =D3=A6 =C3=BC =C2=A3 =CE=BC =C3=B4 =C3=B2 = =C3=B3 =C3=B5 =C3=A5 =C3=A4 =C3=A3 =C3=A2 =C3=A1 =C3=A0 and after it was acce= pted the WUI page still showed the same characters so it looked to have worke= d. In the servers file the characters are all encoded entities with the names= top be expected ß Ф Ч < > Ӧ ü £ μ ô ò= ; ó õ å ä ã â á à To make that work I had to add use Encode at the top of the dns.cgi page. So unless there is any indication back that this approach is not a good one I= will start to work on new patch updates for the various pages that will keep= the existing cleanhtml commands but decode the strings from UTF-8 to enable = the HTML::Entities command to work correctly. Regards, Adolf > Additionally I will also later on create patches for the WUI CGI pages for = the Firewall Groups and for WIO as they do not use the cleanhtml command at a= ll yet they also have many Remark entries. I will also check out the other WU= I pages that don't use the cleanhtml command to see if they have remarks etc = that should use it. > > Regards, > > Adolf. > > On 06/03/2024 23:23, Adolf Belka wrote: >> Hi Michael, >> >> On 06/03/2024 22:28, Michael Tremer wrote: >>> Hello Adolf, >>> >>> I believe that I cannot merge these patches. >> Then you need to also look back at the dns.cgi patch for the bug fix due t= o german umlauts being changed. The acceptance of that patch is what made me = create these patches as they all had the same problem with remarks as well. I= f this can't be accepted as is then that patch needs to be reverted. >> >> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommit;h=3D7c6ff5ff12331a53= f416080a44c8d6145e78bfac >>> >>> The reason simply is that it would create a store cross-site scripting at= tack vector because someone could store some