Server: Nextcloud does wrongly encode the Slogan

Created on 12 Dec 2017 · 6Comments · Source: nextcloud/server

We are able to define a slogan in the theming section of Nextcloud. Unfortunately this is displayed wrong to new users due to encoding errors.

Also, you can already see it's a bit broken when you set the slogan to 'foo & bar', and then just reload the settings page. It does not display & and instead displays & as the slogan.

1. to develop bug theming papercut

Source

marbetschar

Most helpful comment

This is still an issue on my instance running on NextCloud 15.0.4:
When using special characters (like apostrophe or double quotes) in the slogan field, the FirstRunWizard shows the html entities despite the original character.
The login page handlles everything correct as shown by the opener.

See https://help.nextcloud.com/t/theming-slogan-encoding-issue/47915 for additional reference.

guzzisti on 19 Feb 2019

👍2

All 6 comments

Unfortunately this is displayed wrong to new users due to encoding errors.

Fix is in nextcloud/firstrunwizard#51

Also, you can already see it's a bit broken when you set the slogan to 'foo & bar', and then just reload the settings page. It does not display & and instead displays & as the slogan.

I don't get this. What is the actual problem here? Could you rephrase it?

MorrisJobke on 12 Dec 2017

@MorrisJobke thanks for the instant feedback. What I was trying to explain is:

If you enter foo & bar in the theme settings, save and refresh the page you'll notice there is a foo & bar written in the input field. Probably due to the same encoding errors.

marbetschar on 12 Dec 2017

👍2

If you enter foo & bar in the theme settings, save and refresh the page you'll notice there is a foo & bar written in the input field. Probably due to the same encoding errors.

cc @nextcloud/theming

MorrisJobke on 12 Dec 2017

See comment by @blizzz and thus it needs more work.

Not convinced. getSlogan can be overridden by themes, for instance, we cannot be sure it always arrives sanitized. I'd rather remove the sanitation in ThemingDefaults. Also, apparently there is also a double escaping in the Login Controller as of now:

core/Controller/LoginController.php
193:            Util::addHeader('meta', ['property' => 'og:description', 'content' => Util::sanitizeHTML($this->defaults->getSlogan())]);

Requires more changes however, but I feel more comfortable when it is sanitized where the output takes place.

MorrisJobke on 12 Dec 2017

Requires more changes however, but I feel more comfortable when it is sanitized where the output takes place.

I cannot find the discussion, but I remember the argument for having this sanitized in the ThemingDefaults was, that we cannot ensure that apps always sanitize the output when they use values from the Defaults. From my POV that still would be fine, since the theming values can be changed by admins only.

juliushaertl on 19 Jan 2018

See https://help.nextcloud.com/t/theming-slogan-encoding-issue/47915 for additional reference.

guzzisti on 19 Feb 2019

👍2

Was this page helpful?

0 / 5 - 0 ratings

Related issues

shared calendar's color and name not editable by sharee (on a per-sharee basis)

georgehrke · 3Comments

Global OAuth Configuration

williambargent · 3Comments

New folder creation flow: descend into newly created folder by clicking enter again

jancborchardt · 3Comments

Updater overwrites user.ini and .htaccess files after every update resulting in loss of custom settings

e-alfred · 3Comments

occ command ignores '--database-name' and '--database-table-prefix' when creating a SQLite3 database

j-ed · 3Comments