Closed kavimuru closed 8 months ago
Triggered auto assignment to @Christinadobrzyn (Bug
), see https://stackoverflow.com/c/expensify/questions/14418 for more details.
Platforms
in OP are ✅)App crashes if you send an image immediately after renaming the workspace with <
we parse html to get images using open tag img
and add into attachment
but problem is here as we are writing string to htmlParser
using write()
we are appending messages over and over.
so in this condition when we rename workspace we get html as
updated the name of this workspace from "TEST" to "<TEST"
here we have open tag "<TEST"
and we append next html that is containing image gets appending like
updated the name of this workspace from "TEST" to "<TEST"<img src="https://www.expensify.com/chat-attachmen…sify-height="2532" data-expensify-width="1170" />
So we get openTag as test"<img {src: 'src'
in onopentag
it will get return early here
https://github.com/Expensify/App/blob/8ba223457b9a2e8d02f1c57d7c21fd7f0c523573/src/components/AttachmentCarousel/index.js#L158-L177 We are just looking for attachments. We can update this to parse only attachments and this way we can avoid unnecessary parsing.
_.forEach(actions, (action) => {
if (!_.get(action, 'isAttachment', false)) return;
htmlParser.write(_.get(action, ['message', 0, 'html']))
});
None
I can reproduce - adding External
Job added to Upwork: https://www.upwork.com/jobs/~012613bc6123fc7e67
Current assignee @Christinadobrzyn is eligible for the External assigner, not assigning anyone new.
Triggered auto assignment to Contributor-plus team member for initial proposal review - @rushatgabhane (External
)
App crashes if you send an image immediately after renaming the workspace with <
<
affects html parsing by mixing html tags. We need to escape html characters to fix this issue.
e.g. in this case,
expected attachment tag name is img
but returned myworkspaces"<img
To solve this problem, I think we should escape html characters.
e.g.
>
=> >
, <
=> <
, &
=> &
, "
=> "
, '
=> '
.
And also, this can occur script attack security issue.
But which code should we update?
There're several ways to avoid or fix this issue. But we can fix this easily on FE side by converting html when fetching from onyx storage
This is what I suggest to do. Because, even we do a trick for attachment html parsing, there might be another issue occurred. So, by escaping html characters from onyx storage on fetching step, we can avoid these kinda issues.
And I saw that all kinda data is fetched by onyx.getSortedReportActions()
.
We don't need to convert all html strings. We just need to convert Workspace updated comments
Current code: https://github.com/Expensify/App/blob/0bbf3fccfce0994ddf4fd9e95fb33dd9edbd1868/src/libs/ReportActionsUtils.js#L148-L177 We can add the following code after sorting:
.map((action) => {
if (action.actionName === CONST.REPORT.ACTIONS.TYPE.POLICYCHANGELOG.UPDATE_NAME) {
action.message = action.message.map((message) => {
message.html = message.html.replace(/</g, i => `<`).replace(/>/g, i => `>`).replace(/&/g, '&').replace(/'/g, ''').replace(/"/g, '"');
return message;
});
}
return action;
})
.value();
Why this needed?
Current issue occurs another issue. After changing workspace name to <myworkspace
, if we change workspace name to <myworkspace__additional_str_here__
, it doesn't show correctly on chat window.
Issued screenshot Above code will fix this issue too
https://github.com/Expensify/App/assets/28853367/a9774110-5dd8-46fb-a2a3-db52f7fc8e44
https://github.com/Expensify/App/assets/28853367/79bac725-1c26-4278-a484-eb52c5e49a92
None
📣 @jstortoise! 📣 Hey, it seems we don’t have your contributor details yet! You'll only have to do this once, and this is how we'll hire you on Upwork. Please follow these steps:
Contributor details
Your Expensify account email: <REPLACE EMAIL HERE>
Upwork Profile Link: <REPLACE LINK HERE>
Contributor details
Your Expensify account email: jslegend119@gmail.com
Upwork Profile Link: https://www.upwork.com/freelancers/~01eaf6919d6b87486a
✅ Contributor details stored successfully. Thank you for contributing to Expensify!
Triggered auto assignment to @marcochavezf (Engineering
), see https://stackoverflow.com/c/expensify/questions/4319 for more details.
@rushatgabhane can you please review the proposals when you have time? Thank you!
Just a little nudge @rushatgabhane - let me know if you'd like to see more proposals!
We should reset htmlParser string or append
in each parse here
@kushu7 reset on every parse would be expensive. And adding a line break might lead to bugs. I agree with your root cause tho!
@jstortoise will the UI show "<" as <
?
No, it'll show <
@jstortoise will the UI show "<" as
<
?
We use htmlparser, so <
will be shown as <
on UI.
e.g. <span><test</span>
will be shown as <test
adding a line break might lead to bugs.
I think no, as we are just parsing html to get img tags. Could you please tell me which type of bug can occur?
And here htmlParser is just used for getting img
tags, nothing related to ui done here, so converting to escape characters. I don't see any value here.
You can see full function
📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸
g/etting to this today evening
@rushatgabhane Updated proposal. Attached screenshots
Let us know how these proposals look or if you'd like to see more - @rushatgabhane
📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸
@marcochavezf @rushatgabhane @Christinadobrzyn this issue was created 2 weeks ago. Are we close to approving a proposal? If not, what's blocking us from getting this issue assigned? Don't hesitate to create a thread in #expensify-open-source to align faster in real time. Thanks!
Hi @marcochavezf @Christinadobrzyn, I don't completely understand this issue and the proposals here.
Could you please re-add the External
label to assign a different C+?
Thanks
@rushatgabhane This issue is that workspace name and chat message have different format. Workspace name is just text, not html. But chat message is html. So, if we change workspace name, api generates html from workspace name. If we input html string on workspace, it'll be applied to reports. It means that api doesn't handle html characters when renaming workspace name. That's the reason of this issue. As I mentioned on my proposal, there're 2 ways to fix this issue. 1st one is to fix on backend side by converting html characters. 2nd one is my proposal to fix on frontend side by converting html characters when getting report list. This will fix all possible issues. This proposal is not just trick. Iam sure this is the main solution
Current assignee @Christinadobrzyn is eligible for the External assigner, not assigning anyone new.
Triggered auto assignment to Contributor-plus team member for initial proposal review - @aimane-chnaif (External
)
Welcome @aimane-chnaif! You were assigned as C+ based on https://github.com/Expensify/App/issues/21133#issuecomment-1621548393
I think there are a few proposals so let us know if you see any that look like a good fit or if you'd like to see more proposals!
@Christinadobrzyn why my proposal declined?
@Christinadobrzyn @aimane-chnaif I think you need to sanitize all input fields as it might be security threat by inserting script tag inside request. If possible, do the same on the backend side too.
And there's another problem I can set workspace name to <>
but I can't set it to <lol>
. Is this intentional?
@Christinadobrzyn why my proposal declined?
I don't think we've decided on a proposal - I added @aimane-chnaif as the C+ taking over for @rushatgabhane based on https://github.com/Expensify/App/issues/21133#issuecomment-1621548393
@aimane-chnaif will be reviewing the proposals.
not overdue - we're still reviewing proposals!
📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸
@marcochavezf @Christinadobrzyn @aimane-chnaif this issue is now 3 weeks old. There is one more week left before this issue breaks WAQ and will need to go internal. What needs to happen to get a PR in review this week? Please create a thread in #expensify-open-source to discuss. Thanks!
hey @aimane-chnaif let us know if any of these proposals will work or if you'd like to see more. Thanks!
@Christinadobrzyn yes, I'd like to see more proposals.
There's another bug which has the same root cause.
I think this should also be fixed here.
I think the ideal solution is to escape specific characters like <, > when save as html. ref: https://stackoverflow.com/questions/7381974/which-characters-need-to-be-escaped-in-html
And there's another problem I can set workspace name to
<>
but I can't set it to<lol>
. Is this intentional?
@aimane-chnaif Can you confirm this?
And there's another problem I can set workspace name to <> but I can't set it to
. Is this intentional?
I don't see any reason why it's intentional. Should be bug I think. Btw, all of these workspace names which include html tags are edge cases and couldn't be easily caught and handled in initial implementation.
And there's another problem I can set workspace name to <> but I can't set it to
. Is this intentional? I don't see any reason why it's intentional. Should be bug I think. Btw, all of these workspace names which include html tags are edge cases and couldn't be easily caught and handled in initial implementation.
Then let me see the issue with the validator then And how can we escape tags of all types.
I'm going to be ooo until July 31st so going to unassign and assign a new teammate.
@CortneyOfstad At this time, we're receiving and reviewing proposals. I'll take this when I'm back if it's still open.
Current assignee @Christinadobrzyn is eligible for the Bug assigner, not assigning anyone new.
Platforms
in OP are ✅)
If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!
Action Performed:
Go to staging dot on web chrome
Click on Profile and Create a new Workspace
Click on the Workspace name and rename it to
<my workspace
(there should not be gap between < and the workspace name)Notice the workspace name is saved on the #admin room
Go to workspace settings and add any word or letter after the previous name set and click on save to rename the workspace again.
Now on #admins room, send an image and click on it to preview (ex: )
Notice that the app crashes.
Expected Result:
Preview should work when a workspace is named with <
Actual Result:
App crashes if you send an image immediately after renaming the workspace with <
Workaround:
Can the user still use Expensify without this being fixed? Have you informed them of the workaround?
Platforms:
Which of our officially supported platforms is this issue occurring on?
Version Number: 1.3.29-3 Reproducible in staging?: y Reproducible in production?: y If this was caught during regression testing, add the test name, ID and link from TestRail: Email or phone of affected tester (no customers): Logs: https://stackoverflow.com/c/expensify/questions/4856 Notes/Photos/Videos: Any additional supporting documentation
https://github.com/Expensify/App/assets/43996225/92fc94a1-fbe1-4b4f-bb42-b9036cb79949
https://github.com/Expensify/App/assets/43996225/53b7632e-4cfe-40ca-bb19-b97ecc9c5137
Expensify/Expensify Issue URL: Issue reported by: @priya-zha Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1686807235965749
View all open jobs on GitHub
Upwork Automation - Do Not Edit