New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix inline images not showing in FAQ/canned response editor #6511
base: develop
Are you sure you want to change the base?
Conversation
Tested on v1.17.3 (ca95150) |
I would not update So my suggestion is completely revert the changes you’ve made and just wrap the content in both places with Cheers. |
@JediKev I agree, that is a much nicer solution. Better yet, the code is already there. If we pass false to I've updated the patch to include this change instead. |
7f1885c
to
2ba35b8
Compare
Now there is only one question. Why did someone call |
What do you mean exactly? The Cheers. |
Your new changes are incorrect. You are just removing the Cheers. |
Format::htmlchars() was called on contents handed over to HTML editor. This would remove the image URLs to file.php. This fix keeps the file.php URLs intact making the image preview work for FAQs and canned responses.
Thank you for taking time to answer this pull-request. You are unfortunately mistaken. What you are saying would result in a empty pull-request. The issue this pull request is trying to solve is caused by calling This is the code today: // ...
$info['response'] = $canned->getResponseWithImages(); // = Format::viewableImages($canned->getResponse());
// ...
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info, true); As you can see we are already doing what you propose. The issue here is that $html = '<img src="cid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" data-image="zzz">';
viewableImages($html):
<img src="/file.php?key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&expires=1234567890&signature=yyy" data-cid="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" data-image="zzz">
htmlchars(viewableImages($html), false):
<img src="/file.php?key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&expires=1234567890&signature=yyy" data-cid="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" data-image="zzz">
htmlchars(viewableImages($html), true):
<img src="cid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" data-cid="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" data-image="zzz"> As far as I can tell the last result invalidates the image src URL. This causes issues when editing an FAQ or canned response. The editor cannot render the image since the source is a CID instead of an URL. The result is a "image" placeholder in the editor. When calling But this can be fixed... |
2ba35b8
to
212ea9b
Compare
Well we need to look deeper for a fix (as this will affect other things). We will review the issue and make a suggested patch. Cheers. |
I've pushed a solution that introduces a version of |
Here is some test-code that illustrates the problem (the output is above): <?php
function htmlchars($var, $sanitize = false) {
// ...
if ($sanitize)
$var = sanitize($var);
// ...
$flags = ENT_COMPAT;
return htmlspecialchars((string)$var, $flags, 'UTF-8', false);
}
function sanitize($text, $striptags=false, $spec=false) {
// ...
$text = localizeInlineImages($text);
// ...
return $text;
}
function localizeInlineImages($text) {
// Change file.php urls back to content-id's
return preg_replace(
'`src="(?:https?:/)?(?:/[^/"]+)*?/file\\.php\\?(?:\w+=[^&]+&(?:amp;)?)*?key=([^&]+)[^"]*`',
'src="cid:$1', $text);
}
function viewableImages($html, $options=array()) {
// ...
return preg_replace_callback('/"cid:([\w._-]{32})"/',
function($match) use ($options) {
// ...
return sprintf('"%s" data-cid="%s"',
getDownloadUrl($options), $match[1]);
}, $html);
}
function getDownloadUrl($options=array()) {
// ...
$handler = "/file.php";
$args = array(
'key' => "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
'expires' => "1234567890",
'signature' => "yyy",
);
// ...
return sprintf('%s?%s', $handler, http_build_query($args));
}
$html = '<img src="cid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" data-image="zzz">';
echo '$html = ' . $html . ";\n\n";
echo 'viewableImages($html):'."\n";
echo viewableImages($html) . "\n\n";
echo 'htmlchars(viewableImages($html), false):'."\n";
echo htmlchars(viewableImages($html), false) . "\n\n";
echo 'htmlchars(viewableImages($html), true):'."\n";
echo htmlchars(viewableImages($html), true) . "\n\n"; |
I reviewed our code and I see what you mean. After review, all we really need is a simple Cheers. |
This is a two-part commit that includes a fix for inline images on display and a patch for a possible vulnerability for Drafts. This restructures the way we call Format::viewableImages() so that we call it when displaying after we sanitize the data to ensure the images are not broken. Secondly, this ensures Drafts do not skip the `Format::htmlchars()` sanitization at all. This is a rewrite of osTicket#6511.
This is a two-part commit that includes a fix for inline images on display and a patch for a possible vulnerability for Drafts. This restructures the way we call Format::viewableImages() so that we call it when displaying after we sanitize the data to ensure the images are not broken. Secondly, this ensures Drafts do not skip the `Format::htmlchars()` sanitization at all. This is a rewrite of #6511.
This is a two-part commit that includes a fix for inline images on display and a patch for a possible vulnerability for Drafts. This restructures the way we call Format::viewableImages() so that we call it when displaying after we sanitize the data to ensure the images are not broken. Secondly, this ensures Drafts do not skip the `Format::htmlchars()` sanitization at all. This is a rewrite of osTicket#6511.
This is a two-part commit that includes a fix for inline images on display and a patch for a possible vulnerability for Drafts. This restructures the way we call Format::viewableImages() so that we call it when displaying after we sanitize the data to ensure the images are not broken. Secondly, this ensures Drafts do not skip the `Format::htmlchars()` sanitization at all. This is a rewrite of osTicket#6511.
Format::htmlchars() was called on contents handed over to HTML editor. This would remove the image URLs to file.php. This fix keeps the file.php URLs intact making the image preview work while editing FAQs and canned responses.