Priority: Normal
Current State: Duplicate
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches:
Hi,
Is there a reason why the form fields names can`t be in other language than English? For all my installations I comment out line #187 in lib/Foswiki/Form.pm and all installed plugins work fine.
--
AlexMorozov - 27 Mar 2012
--
AlexMorozov - 27 Mar 2012
Because we don't have enough non-english language users reporting excellent bugs like this!
Okay, the thing you should know is that this regex also wipes out potentially dangerous
XSS characters. Although we (mostly?) use
CGI.pm
to build up HTML in Foswiki core, which should de-fang most dangerous chars in the field name, we can't vouch for all the wiki-applications emitting hand-crafted HTML where a stray quote or < sign might break things.
We probably should change the regex from a whitelist to a blacklist, but there really should be a wider review of this stuff at the same time if we're going to be careful.
Also, could you please share what language you're using, and your
{Site}{CharSet}
too?
--
PaulHarvey - 28 Mar 2012
Sure. We`re using Foswiki in Russian, charset is ru_RU.UTF-8. I had to patch previous versions in many places to get it work with Unicode, but 1.4 works like a charm out of the box (except the bug mentioned above).
Correct me if I`m wrong, but DataForms are more administrator`s piece of functionality, and thus can be trusted more than the usual user input. So something like
http://api.drupal.org/api/drupal/modules!filter!filter.module/function/filter_xss/6 will be okay, IMHO.
--
AlexMorozov - 28 Mar 2012
I'm not aware of any mechanism that can completely prevent a user from doing their own dataforms. I guess, apart from XSS, use of quotes in a field name could also simply break the HTML markup.
Do you have time/effort to spare in improving Foswiki's utf-8 support?
CrawfordCurrie spent a lot of effort working on the experimental
UnicodeSupport branch (that work is on github, see topic for details).
But this effort has stalled, due to lack of interest/engagement with users outside of the Latin-1 charset.
--
PaulHarvey - 28 Mar 2012
Unfortunately, my knowledge of Perl is limited to commenting out specific lines :). To be honest, I remember times I wrote Perl scripts, and it always was a pain to process unicode correctly. So I`m surely not the right person to mantain i18n submodules.
--
AlexMorozov - 30 Mar 2012
Duplicate of
Item9448
--
CrawfordCurrie - 17 Feb 2015