htmlencoded braces in window names breaks, causing browse() to use the default browse control.

BYOND Forums

Announcements · BYOND Help · Bug Reports · Feature Requests · Beta Testers · Beta Bugs · Developer Help · Design Philosophy · Demos & Libraries · Tutorials & Snippets · Art & Sound · Classified Ads · Game Updates · Contests & Events · Linux Talk · On Topic · Off Topic

ID:2510672

Sep 17 2019, 8:31 pm

MrStonedOne

Resolved

The options string in browse() was not parsed like a URL-encoded parameter string (as in list2params), which prevented special characters from being escaped. Now it's parsed the same way, except that for legacy reasons a comma is still allowed as a delimiter between items in the list.

BYOND Version:	512
Operating System:	Windows Server 2012 r2
Web Browser:	Chrome 76.0.3809.132
Applies to:	Dream Seeker

Status:

Resolved (512.1485)

This issue has been resolved.

Descriptive Problem Summary:
Adding "html_encode("<>")" to a window name in the option field of a browse call causes it to redirect the browse call to the default control instead of opening a popup.

What's likely happening is this is breaking the parsing of the option string, but this creates an annoying issue as the option string does not have any way of escaping a ; in the string:

Docs state:

The option parameters should either be omitted or they should be in a text string of the following format: "window=name;file=name;display=1;
size=300x300;border=0;can_close=1;
can_resize=1;can_minimize=1;titlebar=1"

You may use commas (,), ampersands (&), or semicolons (;) as the delimiter. Any or all of the parameters may be specified and they may be included in any order.

Or rather, this entire bug report is just a snarky way of reporting that the docs do not specify that the second argument to browse is a params list, so for security reasons, we can not assume list2params and url_encode are safe for use here.

See this exchange for more info: https://github.com/tgstation/tgstation/pull/ 46580#issuecomment-532353744

Workaround:

md5() window names that could contain special characters. (Note: list2params and url_encode are not proper work arounds because the docs do not describe the options string as a params list or uri encoded list)

Sep 18 2019, 12:06 pm
Lummox JR	Interestingly this isn't an oversight on the reference's part; you're correct that this isn't parsing like it would a parameter string, which I don't think is good. Unfortunately the comma delimiter being allowed means I'll have to do something hacky to adjust for this.

Sep 18 2019, 1:52 pm
Lummox JR	Lummox JR resolved issue with message: The options string in browse() was not parsed like a URL-encoded parameter string (as in list2params), which prevented special characters from being escaped. Now it's parsed the same way, except that for legacy reasons a comma is still allowed as a delimiter between items in the list.