Suitecrm: Data that looks like HTML tags is deleted from text fields

Created on 24 Oct 2017  路  6Comments  路  Source: salesagility/SuiteCRM



First, thanks a lot for all your work on Suite!

Issue

In our use of Suite, it is common to paste the text of an email into the description of a call. Among others, this allows us to find text in emails in connection to a call, and discover email addresses of persons who do not have a dedicated record in Suite. In addition, our emails frequently contain e.g. JavaScript snippets in between <script> tags, which are also silently removed.

When upgrading to 7.8.8, I've discovered that when a call is opened and saved again, Suite now removes everything between < and >, and unfortunately this includes email addresses. I think it may be caused by #4130, released in 7.8.6.

Expected Behavior

Suite should show the description of a call exactly as it was entered, displaying text between < and > as text by using quoting in order to prevent XSS.

Actual Behavior


When saving a call, the text in the description is modified and text between < and > such as email addresses is silently removed. Even HTML encoded text such as &lt;foo&gt; is removed, which makes saving emails (e.g. with clients) that talk about HTML encoding impossible since the text is unreadable after saving.

Possible Fix

I think it may be caused by #4130 being overeager and removing data that it shouldn't.

Steps to Reproduce


  1. Log into the SuiteCRM demo instance
  2. Edit a call
  3. Add the text foo bar <[email protected]>, other user into the description field
  4. Save the call
  5. Observe the new description text, is has been changed to: foo bar , other user, removing the email address
  6. Edit the call again, the text is still truncated
  7. Add the text <javascript>console.log('foo')</script>
  8. Save the call
  9. The javascript snippet from the description text has been removed.

Context


This bug has affected us so that we had to restore several calls from a backup and downgrade SuiteCRM again. We didn't expect it to suddenly mangling and removing text and email addresses from call descriptions.

Your Environment

  • SuiteCRM Version used: 7.8.8
  • Browser name and version (e.g. Chrome Version 51.0.2704.63 (64-bit)): Chrome 61.0.3163.100
  • Operating System and version (e.g Ubuntu 16.04): CentOS 7.4.1708
Critical Fix Proposed Bug
Source
picture fd0

All 6 comments

Please let me know if there's anything I can do to help!

fd0 picture fd0 on 26 Oct 2017

This is not just in Calls it affects every input field
https://suitecrm.com/forum/developer-help/16364-suitecrm-7-8-7-strips-any-text-in-angle-brackets
caused by a change to clean.php

mikesolo picture mikesolo on 27 Oct 2017
👍1

There definitely seems to be an issue with HTML being stripped out unnecessarily. Although in some cases this would be intentional like

Related issues

Mausino picture Mausino  路  3Comments
ArturoBurela picture ArturoBurela  路  3Comments
daschenbrener picture daschenbrener  路  3Comments
ajprouty87 picture ajprouty87  路  3Comments
pgorod picture pgorod  路  3Comments