Using newlines or special characters in Error message breaks the plugin

When configuring the plugin, you can enter a custom error message. If you enter a message with a newline or a special character like double quotes (“), then that causes the JSON that is returned from the API to break, and to look like this for instance:

{"image_check":"fail", "error_message":"Foo
bar"}

This example is invalid JSON, as newlines need to be encoded using backslash n.

I suggest these changes:

1. In the file mfis.php, change this line in particular:

$returned_data = '{"image_check":"fail", "error_message":"' . $mfis_ajax_error_message . '"}';

Instead, it should look like this:

$returned_data = json_encode([
  "image_check" => "fail",
  "error_message" => $mfis_ajax_error_message,
]);

2. In mfis-admin-scripts.js, you can see this line:

var mfis_publishing_disabled_message = '<div class="mfis_publishing_disabled"><span class="mfis_icon">!</span><span class="mfis_error_message"> + json.error_message + '</span></div>';

I would change this line to look like:

function escapeHtml(unsafe) {
    return unsafe
         .replace(/&/g, "&" + "amp;")
         .replace(/</g, "&" + "lt;")
         .replace(/>/g, "&" + "gt;")
         .replace(/"/g, "&" + "quot;")
         .replace(/'/g, "&" + "#039;");
 }
var mfis_publishing_disabled_message = $('<div class="mfis_publishing_disabled"><span class="mfis_icon">!</span><span class="mfis_error_message"> + escapeHtml(json.error_message) + '</span></div>';

Fortunately, only admins can modify the plugin settings. If this string originated from users, then this lack of proper escaping would be a potential security vulnerability.

• This topic was modified 4 years, 4 months ago by flimm.
• This topic was modified 4 years, 4 months ago by flimm.