Item6276: Cannot specify percentBRpercent for newline value

Included in the definition is the newline paramter like so:

%URLPARAM{"comment" newline=" <br /> "
" }%

Unfortunately, what I get on the page in raw after submitting a comment is:

Line1 <br /> Line2

When what I used to get is

Line1 <br /> 
Line2

I cannot figure out a way to work around this.

<sticky>%BR%</sticky>

-- TWiki:Main/AJAlfieriCrispin - 08 Jun 2009

This is likely caused by the TWiki:Codev/SecurityAlert-CVE-2009-1339 fix. Needs to be addressed.

-- TWiki:Main.PeterThoeny - 08 Jun 2009

Hi TWiki:Main/AJAlfieriCrispin, please paste your comment definition here (using verbatim) This is the bug - i am getting very different results. Played with tableappend comment template shipped with TWiki. I replaced

%URLPARAM{"comment" newline="<br />"}%

%URLPARAM{"comment" newline="%BR%"}%

Sometimes the comment expand

%BR%

and sometimes it ignores expanding it

Please share your comment template - i will use it to fix the code.

-- TWiki:Main.SopanShewale - 20 Jul 2009

Hello. I guess this never went anywhere? We're having the same problem. <verbatim> %COMMENT{type="tableappend" button="Add change"}% </verbatim>

Same results for tableprepend .

The gt and lt get converted and stored as the html escape codes.

(We'll see if this comes out right) <verbatim>

-- TWiki:Main.AaronLWalker - 19 Oct 2009

I created a page on the sandbox here. Same problem.

test topic

-- TWiki:Main.AaronLWalker - 19 Oct 2009

Yes, this is the bug. Working on it -- TWiki:Main.SopanShewale - 22 Oct 2009

Hi - please change the definition of your "tableappend" comment template i.e. modify TWiki.CommentPluginTemplate , change following line from

%TMPL:DEF{OUTPUT:tableappend}%%POS:BEFORE%| %URLPARAM{"comment" newline="<br />"}% | %WIKIUSERNAME% | %SERVERTIME% |

to

%TMPL:DEF{OUTPUT:tableappend}%%POS:BEFORE%| %URLPARAM{"comment" newline="<br />" encode="off"}% | %WIKIUSERNAME% | %SERVERTIME% |

Notice - encode="off" inside %URLPARAM

Similar change should be done to other comment type definitions - make sure you add encode="off" only to DEF part of definitions.

-- TWiki:Main.SopanShewale - 26 Oct 2009

Thank you, that does the trick!

-- TWiki:Main.AJAlfieriCrispin - 09 Dec 2009

I am re-opening this because the current fix opens up comment boxes to cross site vulnerabilities.

Proper fix: Introduce $n and $br in newline="" parameter of VarURLPARAM.

-- PeterThoeny - 03 Mar 2010

The $br and $n variables are now handled by newline="" parameter of VarURLPARAM - feature proposal at TWiki:Codev/UrlparamWithVariablesInNewline, feature tracker Item6404.

-- TWiki:Main.PeterThoeny - 20 Mar 2010

I reverted the addition of encode="off", and instead, change the newline parameter to newline="$br".

-- TWiki:Main.PeterThoeny - 20 Mar 2010

I reverted the addition of encode="off", and instead, change the newline parameter to newline="$br".

For those of you who want to patch your TWiki:

Modified: twiki/trunk/core/lib/TWiki.pm
===================================================================
--- twiki/trunk/core/lib/TWiki.pm   2010-03-09 03:03:53 UTC (rev 18389)
+++ twiki/trunk/core/lib/TWiki.pm   2010-03-20 00:29:32 UTC (rev 18390)
@@ -3977,8 +3977,16 @@
        }
    }
    if( defined $value ) {
-        $value =~ s/\r?\n/$newLine/go if( defined $newLine );
-        $value = _encode( $encode, $value );
+        if( defined $newLine ) {
+            $newLine =~ s/(\$br\b|%BR%)/\0-br-\0/go;
+            $newLine =~ s/\$n\b/\0-n-\0/go;
+            $value =~ s/\r?\n/$newLine/go;
+            $value = _encode( $encode, $value );
+            $value =~ s/\0-br-\0/<br \/>/go;
+            $value =~ s/\0-n-\0/\n/go;
+        } else {
+            $value = _encode( $encode, $value );
+        }
    }
    unless( defined $value && $value ne '' ) {
        $value = $params->{default};

-- TWiki:Main.PeterThoeny - 20 Mar 2010