Zend Framework

Implementation of Dojo_View_Helper_Editor is outdated and insecure

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.8.1
  • Fix Version/s: 1.7.9, 1.8.5, 1.9.7
  • Component/s: Zend_Dojo
  • Labels:
    None

Description

Hi,
I believe that the ZF implementation of the rich text editor dijit.Editor is based on outdated Dojo docs and is apparently insecure. In use, it logs warnings to the Firebug console about not using it with HTML Textarea tags - from the Dojo comments:
// Do not use this widget
// with an HTML <TEXTAREA> tag, since the browser unescapes XML escape characters,
// like <. This can have unexpected behavior and lead to security issues
// such as scripting attacks.

The approved method appears to be to use a div instead; however, I suspect this has the downside of not degrading gracefully in the absence of Javascript. I don't know whether the claimed security flaw is important enough to sacrifice this principle for.

The fix is to alter lines 89-92 of Zend/Dojo/View/Helper/Editor.php to:

Zend_Dojo_View_Helper_Editor
89        $attribs = $this->_prepareDijit($attribs, $params, 'textarea');
90
91        $html = '<input' . $this->_htmlAttribs($hiddenAttribs) . $this->getClosingBracket() .
92                '<div dojoType="' . $this->_module . '" ' . $this->_htmlAttribs($attribs)  . '>' . $value . '</div>';

Issue Links

This issue is duplicated by:
ZF-8127 Security issue in Zend_Dojo_View_Helper_Editor Major Resolved

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Anton Shevchuk added a comment -

I fix this is issue in my view helper with follow code:

Zend_Dojo_View_Helper_Editor::editor
/**
 * dijit.Editor
 * 
 * @param  string $id 
 * @param  string $value 
 * @param  array $params 
 * @param  array $attribs 
 * @return string
 */
public function editor($id, $value = null, $params = array(), $attribs = array())
{
    $hiddenName = $id;
    if (array_key_exists('id', $attribs)) {
        $hiddenId = $attribs['id'];
    } else {
        $hiddenId = $hiddenName;
    }
    $hiddenId = $this->_normalizeId($hiddenId);

    $hiddenAttribs = array(
        'id'    => $hiddenId,
        'name'  => $hiddenName,
        'value' => $value,
        'type'  => 'hidden',
    );
    
    $editorAttribs = array(
        'id'    => $hiddenId . '-Editor',
        'name'  => $this->_normalizeEditorName($hiddenName)
    );

    $editorAttribs = $this->_prepareDijit($editorAttribs, $params, 'textarea');
    
    $this->_createGetParentFormFunction();
    $this->_createEditorOnSubmit($hiddenId, $textareaId);

    $html = '<input' . $this->_htmlAttribs($hiddenAttribs) . $this->getClosingBracket()
          . '<div dojoType="' . $this->_module . '" ' . $this->_htmlAttribs($editorAttribs) .'>'.$value.'</div>';

    return $html;
}
Show
Anton Shevchuk added a comment - I fix this is issue in my view helper with follow code:
Zend_Dojo_View_Helper_Editor::editor
/**
 * dijit.Editor
 * 
 * @param  string $id 
 * @param  string $value 
 * @param  array $params 
 * @param  array $attribs 
 * @return string
 */
public function editor($id, $value = null, $params = array(), $attribs = array())
{
    $hiddenName = $id;
    if (array_key_exists('id', $attribs)) {
        $hiddenId = $attribs['id'];
    } else {
        $hiddenId = $hiddenName;
    }
    $hiddenId = $this->_normalizeId($hiddenId);

    $hiddenAttribs = array(
        'id'    => $hiddenId,
        'name'  => $hiddenName,
        'value' => $value,
        'type'  => 'hidden',
    );
    
    $editorAttribs = array(
        'id'    => $hiddenId . '-Editor',
        'name'  => $this->_normalizeEditorName($hiddenName)
    );

    $editorAttribs = $this->_prepareDijit($editorAttribs, $params, 'textarea');
    
    $this->_createGetParentFormFunction();
    $this->_createEditorOnSubmit($hiddenId, $textareaId);

    $html = '<input' . $this->_htmlAttribs($hiddenAttribs) . $this->getClosingBracket()
          . '<div dojoType="' . $this->_module . '" ' . $this->_htmlAttribs($editorAttribs) .'>'.$value.'</div>';

    return $html;
}
Hide
Permalink
Anton Shevchuk added a comment -

One mistake

// change line
$this->_createEditorOnSubmit($hiddenId, $textareaId);
// to 
$this->_createEditorOnSubmit($hiddenId, $hiddenId . '-Editor');
Show
Anton Shevchuk added a comment - One mistake 
// change line
$this->_createEditorOnSubmit($hiddenId, $textareaId);
// to 
$this->_createEditorOnSubmit($hiddenId, $hiddenId . '-Editor');
Hide
Permalink
rv david added a comment -

This issue causes a previously closed bug report at:
http://framework.zend.com/issues/browse/ZF-4462;jsessionid=436E62603E0CEB9B3E51E670AC2F723F

As mentioned in ZF-4462, it only happens in IE.

Happened to me in IE7 - my client was complaining that when they tried change the data in the Editor field, they get the text "Array" is saved in place of the content.
Dumping the request data reveals that the data submitted is submitted as an array. Similar to what is displayed below:

Array (
[title] => bug test 2
[content] => Array ( [Editor] => bug test 2 )
[sendlive] => 0
[id] =>
[save] => save )

Show
rv david added a comment - This issue causes a previously closed bug report at: http://framework.zend.com/issues/browse/ZF-4462;jsessionid=436E62603E0CEB9B3E51E670AC2F723F As mentioned in ZF-4462, it only happens in IE. Happened to me in IE7 - my client was complaining that when they tried change the data in the Editor field, they get the text "Array" is saved in place of the content. Dumping the request data reveals that the data submitted is submitted as an array. Similar to what is displayed below: Array ( [title] => bug test 2 [content] => Array ( [Editor] => bug test 2 ) [sendlive] => 0 [id] => [save] => save )
Hide
Permalink
Matthew Weier O'Phinney added a comment -

Fixed in trunk, and will release with 1.10. The change is a slight BC break, but justifiable due to the security implications; however, these changes are best to introduce during a minor release when we can message how to upgrade more granularly.

Show
Matthew Weier O'Phinney added a comment - Fixed in trunk, and will release with 1.10. The change is a slight BC break, but justifiable due to the security implications; however, these changes are best to introduce during a minor release when we can message how to upgrade more granularly.

People

Vote (4)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.