Revolution: Overly Agressive Template & Plugin Name Validation

Created on 6 Nov 2020  路  1Comment  路  Source: modxcms/revolution

Bug report

Summary

The template & plugin name validation introduced in #15146 appears to be overly aggressive and causing issues on older sites. The validation appears to be copy/pasted from chunk and snippet name validation. However, I believe that validation was specifically designed because those elements are "callable" for the templating engine. It is preventing saving of templates on existing sites that use common characters such as colons or apostrophe's.

This also critically breaks Teleport as a template or plugin with a previously valid name can no longer be injected into a site.

Step to reproduce

If you edit a site in the SQL to change the name to something like "Categegory: Interior" you will not be able to save the template within MODX without changing the name.

Observed behavior

This creates confusing behavior as existing Templates are suddenly not capable of being saved without changing the name. It also breaks the ability to inject sites using Teleport if these characters currently exist on their templates or plugins.

Expected behavior

Standard characters that do not pose an issue to XSS or break the site in anyway should be allowed in Template Names and Plugins.

Related issue(s)/PR(s)

Introduced in https://github.com/modxcms/revolution/pull/15146

Environment

MODX 2.8.1

bug
Source
picture matdave

Most helpful comment

Took a look at the validation regex, I'm posting an amendment below for discussion that expands it to include common punctuation I've encountered in Template names (this would also be fine in my opinion to be used for Plugin names):

^(?!\s)[a-zA-Z0-9\x23-\x2f\x3a\x5b-\x5d\x7f-\xff-_\s]+(?<!\s)$

(To see what is included in the various \x ranges, this site is useful: https://www.codetable.net/asciikeycodes)

picture garryn on 6 Nov 2020
👍2

>All comments

Took a look at the validation regex, I'm posting an amendment below for discussion that expands it to include common punctuation I've encountered in Template names (this would also be fine in my opinion to be used for Plugin names):

^(?!\s)[a-zA-Z0-9\x23-\x2f\x3a\x5b-\x5d\x7f-\xff-_\s]+(?<!\s)$

(To see what is included in the various \x ranges, this site is useful: https://www.codetable.net/asciikeycodes)

garryn picture garryn on 6 Nov 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sdrenth picture sdrenth  路  3Comments
pepebe picture pepebe  路  3Comments
jpdevries picture jpdevries  路  3Comments
akimsullec picture akimsullec  路  4Comments
netProphET picture netProphET  路  3Comments