core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon dotCMS

dotCMS 22.08 Apostrophes, colons and semicolons disrupt the proper functioning of Key/Value Fields

Open TheGreatAlexander opened this issue 2 years ago • 12 comments

Describe the bug After I upgraded from dotCMS 22.03 to 22.08 I noticed that the apostrophes, colons and semicolons contained in key/value fields make them not to display in the back end. So on my backend all key/values that contain apostrophes, colons and semincolons do not display on the backend and the fields display "No Values")

To Reproduce The are two ways to reproduce the problem: 1 - Go to the demo in the back end, see https://demo.dotcms.com/dotAdmin/#/c/c_Products/2043a54b-0a7f-449a-890b-3d6eaa1e018e

2- Make any change you want in any field, then click on PUBLISH and voi lá!

You get an annoying pop up with this:

Unexpected character ('F' (code 70)): was expecting double-quote to start field name at [Source: (String)"{Fast Fly Weight:3lb 7oz / 1.56kg,Vestibule Area:9 + 9sq ft / 0.8 + 0.8 sqm,Trail Weight:4lb 8oz / 2.04kg,Footprint Weight:8oz / 227g,Packed Weight:5lb / 2.27kg,Number of Doors:2,Packed Size:6" x 20" / 15 x 51cm,Number of Seasons:3}"; line: 1, column: 3]

Another interesting case, is this one on the demo:

https://demo.dotcms.com/dotAdmin/#/c/c_Products/45d90b05-c1eb-48dd-98ad-171c63445175

As you can see in the backend, it shows no value on the specifications field: Screen Shot 2022-08-14 at 8 38 33 PM

However, if you see it in the front end, you will see the values: Screen Shot 2022-08-14 at 8 39 21 PM

If you want to reproduce it in another way. Simply:

1 - On the demo, create a new product contentlet 2- Add in the specifications field, anything with an apostrophe, colon or semicolon 3- click publish and you will into a perennial saving content ... message Note you can add: key: test value: Let me check; we will see

Screen Shot 2022-08-14 at 8 40 58 PM

After you escape out of that saving content, go back to the contentlet you created and try to add again the same (because it will not be displayed): key: test value: Let me check; we will see You will see a message stating that the key already exists:

Screen Shot 2022-08-14 at 8 50 00 PM

This happens on dotCMS 22.08 Desktop (please complete the following information):

  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]

TheGreatAlexander avatar Aug 15 '22 02:08 TheGreatAlexander

Upon comparison against version release-22.03 The javascript function function addKVPair(fieldId, fieldValueId) in edit_field_js.jsp takes care of the double quotes escaping here:

//escape double quotes key = replaceAll('"', '"', key); ... //escape double quotes value = replaceAll('"', '"', value);

It does escape both key and value Currently what arrives on the server lacks escaping which makes me think the new dot-key-value WebComponent is probably missing that logic.

fabrizzio-dotCMS avatar Aug 24 '22 18:08 fabrizzio-dotCMS

Just to be clear, we should be properly escaping quotes and other special characters and not just removing. What a user enters in a key or in a value should be what we store,return and display

wezell avatar Aug 24 '22 18:08 wezell

PR: https://github.com/dotCMS/core/pull/22918/files

alfredo-dotcms avatar Sep 01 '22 23:09 alfredo-dotcms

The new implementation feels quite solid. I wasn't able to break it by entering none of the conflicting characters like ", ', \ Also tried injecting javascript into but it gets sanitized just fine.

However, there's one scenario where the dot-key-value is used to render metadata where the table fails to render and that is when on an Image File Asset we set a focalPoint

This is because the forcalPoint is written into a json that looks like this:

{
   "modDate":1662744961363,
   "sha256":"9461f042f37b5a399f045551b02de3164428ddd53e0cf30e98a037c7d09eb410",
   "length":64882,
   "title":"synchronicity.jpeg",
   "version":20220201,
   "content":"",
   "path":"f/e/fe09444d-6bef-436f-bbf2-3a91f8d2d5c0/fileAsset/synchronicity.jpeg",
   "isImage":true,
   "dot:focalPoint":"0.541666,70.49",
   "fileSize":64882,
   "name":"synchronicity.jpeg",
   "width":600,
   "contentType":"image/jpeg",
   "height":600
}

and the focalPoint itself has many components that could break the json

"dot:focalPoint":"0.541666,70.49" if I remove the forcalPoint from the JSON file and then clear the Metadata cache the table displays correctly I was not able to break the component by entering the same value on the UI.

fabrizzio-dotCMS avatar Sep 09 '22 21:09 fabrizzio-dotCMS

PR: https://github.com/dotCMS/core/pull/22960/files

alfredo-dotcms avatar Sep 12 '22 20:09 alfredo-dotcms

The metadata table isn't still loading after adding the focal point

fabrizzio-dotCMS avatar Sep 13 '22 17:09 fabrizzio-dotCMS

PR: https://github.com/dotCMS/core/pull/22970

alfredo-dotcms avatar Sep 13 '22 18:09 alfredo-dotcms

Can't save contentlet when the key-value is empty.

Screen Shot 2022-09-13 at 17 53 52

fabrizzio-dotCMS avatar Sep 13 '22 23:09 fabrizzio-dotCMS

PR: https://github.com/dotCMS/core/pull/22979/files

alfredo-dotcms avatar Sep 14 '22 16:09 alfredo-dotcms

The inputs need to be sanitized to prevent an injection attack. I was able to add a simple script and execute it re-opening the dialog.

Adding a javascript alert.

Screen Shot 2022-09-14 at 16 29 32

Once I hit save and re-open the dialog. It looks like this

Screen Shot 2022-09-14 at 16 29 47

After I click ok on the Alert dialog

Screen Shot 2022-09-14 at 16 29 59

fabrizzio-dotCMS avatar Sep 14 '22 22:09 fabrizzio-dotCMS

PR: https://github.com/dotCMS/core/pull/23004

alfredo-dotcms avatar Sep 15 '22 23:09 alfredo-dotcms

I couldn't break it this time. Looks good to me.

fabrizzio-dotCMS avatar Sep 16 '22 17:09 fabrizzio-dotCMS

Approved QA - Tested on 22.10_53380a7c_SNAPSHOT // Docker // macOS 12.6 FF v105

josemejias07 avatar Sep 29 '22 21:09 josemejias07