opencats.org

opencats - the community supported applicant tracking system
https://forums.opencats.org/

Job order description HTML encode/decode problem

https://forums.opencats.org/viewtopic.php?t=1898

Page 1 of 2

Job order description HTML encode/decode problem

Posted: 15 May 2023, 16:52
by lbdm
Hi,

I've just installed OpenCATS on my debian server.

Works great, with mostly one exception : when I fill the job description with ckedit and save it, the description then shows the HTML code. And the online application shows the same HTML code.

So let's say in ckedit I write : "This is a job desc" in bold, the description section of the job order will actually show :
<p><strong>This is a job desc</strong></p> and the same on the online application. Looking at the HTML source page of the online application, here is what I find :

<p><strong>Description:</strong></p>
&lt;p&gt;&lt;strong&gt;This is a job desc&lt;/strong&gt;&lt;/p&gt;

So looks like the description has been HTML encoded with htmlentities.

What am I doing wrong? Any help appreciated, thanks!

Re: Job order description HTML encode/decode problem

Posted: 17 May 2023, 09:24
by lbdm
Update on my previous post :
- I've installed v0.9.7.2 on WIndows to see whether i could reproduce the problem there too or if the issue was from my configuration on debian : same problem on Windows too
- I've downgraded to v0.9.6 and then the problem is gone

So it looks to me that latest version has introduced that problem. As there's been several security fixes likely involving php htmlentities / htmlspecialchar, that might the "culprit".

Re: Job order description HTML encode/decode problem

Posted: 07 Jun 2023, 17:57
by RussH
Hey there - thanks for reporting this - the 0.9.7.2 release did indeed add in changes here. It shouldn't be difficult to find the culprit. I'll get that amended.. and will share the fix here.

Re: Job order description HTML encode/decode problem

Posted: 21 Jun 2023, 21:46
by RussH
Okay, this was fixed and the new code is in github master. Not pushed a release yet.

Re: Job order description HTML encode/decode problem

Posted: 22 Jun 2023, 10:16
by lbdm
Many thanks! I re-installed from the master and I confirm it's fixed.

Re: Job order description HTML encode/decode problem

Posted: 22 Jun 2023, 15:59
by RussH
Great news - please please let me know any other issues you face.. there's been quite a few commits just to lock down security so want to ensure it's all functional.

Re: Job order description HTML encode/decode problem

Posted: 20 Nov 2023, 11:43
by Aleks
Is there a way to just update a specific one/few files, instead of reinstalling the whole package?
I have the same issue mentioend above on the newest version.

Re: Job order description HTML encode/decode problem

Posted: 20 Nov 2023, 18:06
by RussH
Hi Aleks, sorry - you've installed the latest release but would prefer the packages in Master? as I think 0.9.7-2 doesn't have the fix, only in Master.

Three options;
1. check the commits since the version 0.9.7-2 was packaged and add them in yourself (aren't that many, eminently doable)
2. download Master and extract it over your existing installation, it will overwrite. Make sure you rename config.php beforehand so it's preserved. Probably best option.
3. I get around to a new release that works for everyone. I'll get there, have been slightly hectic in my day job for the past few months.

Re: Job order description HTML encode/decode problem

Posted: 21 Nov 2023, 09:20
by Aleks
Thanks Russ
Well, I tried everything except to overwrite all with Master, as it will delete everything I've done already, so I'm avoiding it for now.
I am not a senior dev. but as what I know is that CKeditor (vendor) which is using for adding text styles and headings, etc., has also a Source (button) but it's a switch for removing all formatting, and even after removing entire "ckeditor" folder from the server, still final "description" section of the job orders page posting it as html text (with codes, without line brakes, posting text in a single line, all merged), so I think that here is a catch.

Another thing I've tried, without good results at the end, was modifying the config file of the ckeditor, so I added this:

CKEDITOR.editorConfig = function( config ) {
// Define changes to default configuration here. For example:
// config.language = 'fr';
// config.uiColor = '#AADC6E';

config.specialChars = [
'!', '&quot;', '#', '$', '%', '&amp;', "'", '(', ')', '*', '+', '-', '.', '/',
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', ';'];
};

and also this

CKEDITOR.config.basicEntities = false;
CKEDITOR.config.entities = false;
CKEDITOR.config.entities_greek = false;
CKEDITOR.config.entities_latin = false;
CKEDITOR.config.htmlEncodeOutput = false;
CKEDITOR.config.entities_processNumerical = false;

Results on the editor were perfect, but after clicking Save button, all codes come back.

So, final problem is actually with the SAVE button, the actions that happens after that button are the problem (probably pre-defined Add or Edit templates for job orders).
That is my humble opinion :)

Re: Job order description HTML encode/decode problem

Posted: 21 Nov 2023, 10:40
by RussH
Here is the commit you need to apply;
Revert htmlspecialchars for CKEditor (#621)
Revert the security restrictions deployed with HTMLSPECIALCHARS for description fields using CKEditor, as it strips all HTML formatting
https://github.com/opencats/OpenCATS/co ... 8f79882b5a
All times are UTC+01:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited