• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item6276: Cannot specify percentBRpercent for newline value

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Extension CommentPlugin Urgent Closed   patch 5.0.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

I have defined some templates in Main.UserCommentsTemplate

Included in the definition is the newline paramter like so:

%URLPARAM{"comment" newline=" <br /> "
" }%

Unfortunately, what I get on the page in raw after submitting a comment is:

Line1 &lt;br /&gt; Line2

When what I used to get is

Line1 <br /> 
Line2

I cannot figure out a way to work around this.

<sticky>%BR%</sticky>
does not work as a newline value.

-- TWiki:Main/AJAlfieriCrispin - 08 Jun 2009

This is likely caused by the TWiki:Codev/SecurityAlert-CVE-2009-1339 fix. Needs to be addressed.

-- TWiki:Main.PeterThoeny - 08 Jun 2009

Hi TWiki:Main/AJAlfieriCrispin, please paste your comment definition here (using verbatim) This is the bug - i am getting very different results. Played with tableappend comment template shipped with TWiki. I replaced

%URLPARAM{"comment" newline="<br />"}%
with
%URLPARAM{"comment" newline="%BR%"}%

Sometimes the comment expand

%BR%

and sometimes it ignores expanding it frown

Please share your comment template - i will use it to fix the code.

-- TWiki:Main.SopanShewale - 20 Jul 2009

Hello. I guess this never went anywhere? We're having the same problem. <verbatim> %COMMENT{type="tableappend" button="Add change"}% </verbatim>

Same results for tableprepend .

The gt and lt get converted and stored as the html escape codes.

(We'll see if this comes out right) <verbatim>

a<br />b<br />c AaronWalker 2009-10-19 - 09:51
</verbatim>

-- TWiki:Main.AaronLWalker - 19 Oct 2009

I created a page on the sandbox here. Same problem.

test topic

-- TWiki:Main.AaronLWalker - 19 Oct 2009

Yes, this is the bug. Working on it smile -- TWiki:Main.SopanShewale - 22 Oct 2009

Hi - please change the definition of your "tableappend" comment template i.e. modify TWiki.CommentPluginTemplate , change following line from


%TMPL:DEF{OUTPUT:tableappend}%%POS:BEFORE%| %URLPARAM{"comment" newline="<br />"}% | %WIKIUSERNAME% | %SERVERTIME% |

to

%TMPL:DEF{OUTPUT:tableappend}%%POS:BEFORE%| %URLPARAM{"comment" newline="<br />" encode="off"}% | %WIKIUSERNAME% | %SERVERTIME% |

Notice - encode="off" inside %URLPARAM

Similar change should be done to other comment type definitions - make sure you add encode="off" only to DEF part of definitions.

-- TWiki:Main.SopanShewale - 26 Oct 2009

Thank you, that does the trick!

-- TWiki:Main.AJAlfieriCrispin - 09 Dec 2009

I am re-opening this because the current fix opens up comment boxes to cross site vulnerabilities.

Proper fix: Introduce $n and $br in newline="" parameter of VarURLPARAM.

-- PeterThoeny - 03 Mar 2010

The $br and $n variables are now handled by newline="" parameter of VarURLPARAM - feature proposal at TWiki:Codev/UrlparamWithVariablesInNewline, feature tracker Item6404.

-- TWiki:Main.PeterThoeny - 20 Mar 2010

I reverted the addition of encode="off", and instead, change the newline parameter to newline="$br".

-- TWiki:Main.PeterThoeny - 20 Mar 2010

I reverted the addition of encode="off", and instead, change the newline parameter to newline="$br".

For those of you who want to patch your TWiki:

Modified: twiki/trunk/core/lib/TWiki.pm
===================================================================
--- twiki/trunk/core/lib/TWiki.pm   2010-03-09 03:03:53 UTC (rev 18389)
+++ twiki/trunk/core/lib/TWiki.pm   2010-03-20 00:29:32 UTC (rev 18390)
@@ -3977,8 +3977,16 @@
        }
    }
    if( defined $value ) {
-        $value =~ s/\r?\n/$newLine/go if( defined $newLine );
-        $value = _encode( $encode, $value );
+        if( defined $newLine ) {
+            $newLine =~ s/(\$br\b|%BR%)/\0-br-\0/go;
+            $newLine =~ s/\$n\b/\0-n-\0/go;
+            $value =~ s/\r?\n/$newLine/go;
+            $value = _encode( $encode, $value );
+            $value =~ s/\0-br-\0/<br \/>/go;
+            $value =~ s/\0-n-\0/\n/go;
+        } else {
+            $value = _encode( $encode, $value );
+        }
    }
    unless( defined $value && $value ne '' ) {
        $value = $params->{default};

-- TWiki:Main.PeterThoeny - 20 Mar 2010

ItemTemplate
Summary Cannot specify percentBRpercent for newline value
ReportedBy TWiki:Main.AJAlfieriCrispin
Codebase 4.3.1, 4.3.2, ~twiki4
SVN Range TWiki-5.0.0, Sat, 18 Apr 2009, build 18024
AppliesTo Extension
Component CommentPlugin
Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:18191 TWikirev:18192 TWikirev:18363 TWikirev:18364 TWikirev:18365 TWikirev:18392 TWikirev:18393 TWikirev:18394
TargetRelease patch
ReleasedIn 5.0.0
Edit | Attach | Watch | Print version | History: r23 < r22 < r21 < r20 < r19 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r23 - 2010-05-31 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback