Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error in Dropdown with allow Multiple in recent versions #1738

Open
mkrecek234 opened this issue Feb 15, 2022 · 9 comments · May be fixed by #1742
Open

Error in Dropdown with allow Multiple in recent versions #1738

mkrecek234 opened this issue Feb 15, 2022 · 9 comments · May be fixed by #1742
Labels
bug 🪲 MAJOR

Comments

@mkrecek234
Copy link
Contributor

mkrecek234 commented Feb 15, 2022
edited
Loading

Steps to reproduce:

  1. Add a Dropdown with isMultiple support
 $recipient = $form->addControl('recipient',
                [\Atk4\Ui\Form\Control\Dropdown::class,
                    'isMultiple' => true,
                    'dropdownOptions' => ['allowAdditions' => true, 'forceSelection' => false]
                ], ['default' => 'Username <user@emaildomain.de>']
                );
  1. In the most recent versions (tested in develop but probably since 3.1) on Submit (POST) wrong data is submitted and thus also saved:
Username <user@emaildomain.de>, Username &lt;user@emaildomain.de&gt;

You can see this already on rendering of the form, that the hidden <input...> for that dropdown contains the wrong comma-separated two values with original string and htmlencoded string erroneously.

Bad workaround: you submit already the htmlspecialchars('Username user@emaildomain.de') as a default, then it would not happen. Probably an issue with typecasting.

Expected result:
The non-html-encoded string is received on POST/saved into the database, rather that the double-entry list with one htmldecoded, one encoded element string.

Username <user@emaildomain.de>
@mvorisek
Copy link
Member

mvorisek commented Feb 25, 2022
edited
Loading 

$form = \Atk4\Ui\Form::addTo($app);
$recipient = $form->addControl(
    'recipient',
    [\Atk4\Ui\Form\Control\Dropdown::class,
        'isMultiple' => true,
        'dropdownOptions' => ['allowAdditions' => true, 'forceSelection' => false],
    ],
    ['default' => 'Username <user@emaildomain.de>']
);
$form->onSubmit(function () use ($form) {
    echo '<pre>';
    echo htmlspecialchars(
        print_r($form->model->get(), true)
    );
});

reproduced, see FUI issue fomantic/Fomantic-UI#2246

docs https://fomantic-ui.com/modules/dropdown.html#/security

@mvorisek mvorisek linked a pull request Feb 25, 2022 that will close this issue
Draft
@mvorisek mvorisek added the MAJOR label Apr 13, 2022
@mvorisek
Copy link
Member

add a test and test if problem is solved with #1866

@mkrecek234
Copy link
Contributor Author

Problem seems to persist after upgrade to Fomantic UI 2.9.0-beta.320- the html special chars are stored returned from the control, whereas it should return the non-HTML-encoded characters like "<" or ">" rather than ">" or "<"

@mkrecek234
Copy link
Contributor Author

mkrecek234 commented Dec 15, 2022
edited
Loading

Here is more background to the still remaining issue:
Step to reproduce:

  • You have a dropdown with allowMultiple
  • The dropdown's field content (e.g. populated by an entity) is test <email@email.com>

If you save this, atk4/data correctly stored it as test <email@email.com>.
If you load the form again with the pre-populated entry (for example to edit it), the control is rendered like this:

<a class="ui label transition visible active" data-value="test <email@email.com>" style="display: inline-block !important;">
test 
<email@email.com>
<i class="delete icon"></i>
</email@email.com></a>

What is interesting is that if you have this field's content (two times the same entry):
test <email@email.com>, test <email@email.com> then it is rendered once correctly, and the second one is rendered wrongly (as above):

<a class="ui label transition visible" data-value=" test <email@email.com>" style="display: inline-block !important;">
test &lt;email@email.com&gt;<i class="delete icon"></i></a>

<a class="ui label transition visible active" data-value="test <email@email.com>" style="display: inline-block !important;">
test 
<email@email.com>
<i class="delete icon"></i>
</email@email.com></a>

@mkrecek234
Copy link
Contributor Author

mkrecek234 commented Dec 15, 2022
edited
Loading

@mvorisek This seems to be an issue in the most recent develop branch, as an older develop commit does not show this issue. Very strange how the template is rendered as the field's content is considered as opening tag and a closing tag is generated.

@mvorisek
Copy link
Member

I put a lot of time to this already and even have a draft branch for it. FUI 2.9.0 fixed some problems, but not all, we need to still update the render in atk4/ui. The main time consuming problem is there are 3 Dropdown controls, Dropdown, Lookup and Lookup in vue. And all uses different rendering, different data format... We should unify this first - related issue #1020

@mkrecek234
Copy link
Contributor Author

Solved by 'preserveHTML' => false, see fomantic/Fomantic-UI#2246.
We should consider making preserveHTML=false as default for Atk4/Ui/DropDown @mvorisek .

@mvorisek
Copy link
Member

mvorisek commented Mar 2, 2023

Lookup/Dropdown use completely different source data format, it is not that easy

@mkrecek234
Copy link
Contributor Author

For me this issue here is resolved by preserverHTML = false, everything works as it should with it.

@mvorisek mvorisek reopened this Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🪲 MAJOR
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix dropdown multiple data double encode atk4/ui
2 participants
@mvorisek @mkrecek234