search

orchidsoftware / platform

Orchid is a @laravel package that allows for rapid application development of back-office applications, admin/user panels, and dashboards.
https://orchid.software
MIT License
4.26k stars 631 forks source link

Screen name() with apostrophe gets escaped causing ' to appear instead. #2755

Closed BrianWendt closed 6 months ago

BrianWendt commented 7 months ago

Describe the bug Screen name() with apostrophe get's escaped causing & # 0 3 9 ; to appear instead. (spaces added because markdown decodes the & # 0 3 9 ; as and apostrophe)

To Reproduce Steps to reproduce the behavior:

  1. Create a screen (blah blah blah)
  2. Have the name() method return "You're testing this"
  3. Render screen and see the entity code in the header and tag</li> </ol> <p><strong>Expected behavior</strong> I expect the title and header to read "You're testing this" but it returns "You& # 0 3 9 ;re testing this" </p> <p><strong>Screenshots</strong></p> <p><strong>Desktop (please complete the following information):</strong></p> <ul> <li>OS: Windows 11</li> <li>Browser: Chrome</li> <li>Version</li> </ul> <p><strong>Smartphone (please complete the following information):</strong></p> <ul> <li>Device: [e.g. iPhone6]</li> <li>OS: [e.g. iOS8.1]</li> <li>Browser [e.g. stock browser, safari]</li> <li>Version [e.g. 22]</li> </ul> <p><strong>Server (please complete the following information):</strong></p> <ul> <li>Platfrom Version: 14.14</li> <li>Laravel Version: 10.10</li> <li>PHP Version: [e.g. 8.1]</li> <li>Database: MariaDB</li> <li>Database Version: 10.4.28</li> </ul> <p><strong>Additional context</strong></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/BrianWendt"><img src="https://avatars.githubusercontent.com/u/664975?v=4" />BrianWendt</a> commented <strong> 7 months ago</strong> </div> <div class="markdown-body"> <p>I think the <code>e()</code> helper function should be removed from where the 'title' section is defined. Only the Screen class uses that view and the $name is set via a method that is strict typed as a string. The @yeild directive already escapes strings which I think is causing the problem. With that in mind, I think removing the e() shouldn't cause any security vulnerability. </p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/tabuna"><img src="https://avatars.githubusercontent.com/u/5102591?v=4" />tabuna</a> commented <strong> 6 months ago</strong> </div> <div class="markdown-body"> <p>Yes, I think that escaping was unnecessary. I suggest upgrading to the latest version to fix this issue.</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>