Revolution: MODX Tree shows "HTML" elements
Bug report
Summary
After the recent security patches (PR #14335) the MODX Tree applies html encoding to the node text.
For resources the text for nodes contains a span element surrounding the resource ID. This span element tells browsers that it should use the text direction "left-to-right". Because the text is encoded it shows the element as "regular" text.
Step to reproduce
Fetch the most recent MODX source from the 2.x branch and install it.
Open the manager and check the MODX Tree.
Observed behavior
Expected behavior
Tree elements for resources should not show the span element.
Environment
MODX 2.7.x-dev
JoshuaLuckers
All 5 comments
I can reproduce this bug.
The problem was found, here is - https://github.com/modxcms/revolution/pull/14335/files#diff-5f9a4ceb2f6f68d22416f98adcc4fdb5R250
Ibochkarev
on 10 Feb 2019
I'm not sure what's the best way to solve this issue. A quick and dirty workaround would be to use a find and replace for this particular element after the string is encoded.
Using a quick and dirty workaround is not something I prefer and it should be used as a last resort if it this issue prevents a 2.7.1 release.
JoshuaLuckers
on 10 Feb 2019
If we can't run htmlEncode on n.text, then n.text has to be sanitised _before_ it gets to the client-side. That's probably in the getNodes processor. A find and replace would be very dirty ;)
Mark-H
on 10 Feb 2019
And here exactly need htmlEncode? For a resource heading, for example, htmlEncode is applied again - https://github.com/modxcms/revolution/pull/14335/files#diff-b7fb669b456b21ec201094399cdc918bR496
Ruslan-Aleev
on 10 Feb 2019
So that turned out to be more complicated than I expected, but #14361 should resolve this. Would appreciate help with testing that.
Mark-H
on 10 Feb 2019
Related issues
Ruslan-Aleev
路
3Comments
travisbotello
路
3Comments
muzzwood
路
4Comments
Ruslan-Aleev
路
3Comments
Ruslan-Aleev
路
3Comments