Skip to content

[configuration] Use unsafeInsert/unsafeUpdate for saving values #8759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 12, 2023
Merged

[configuration] Use unsafeInsert/unsafeUpdate for saving values #8759

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions modules/configuration/ajax/process.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
}
}
// Update the config setting to the new value.
$DB->update(
$DB->unsafeUpdate(
Copy link
Contributor

@zaliqarosli zaliqarosli Jun 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this okay to change for all update/inserts on the config module, not knowing what other front-end values this might affect?

Copy link
Collaborator Author

@driusan driusan Jun 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked on demo and only saw 3 textarea config settings:

  1. The studyDescription used on the login page. This already uses DOMPurify to make sure the value is clean.
  2. The projectDescription used by the dashboard welcome widget. An admin would be able update the description to include unsafe HTML there, but this is addressed by PR [dashboard] Load project description from ajax and run through DOMPurify #8762.
  3. The citation_policy used by the acknowledgements module. This is used by the acknowledgements module inside of a React component, so it should be auto-escaped by React.

'Config',
['Value' => $value],
['ID' => $key]
Expand Down Expand Up @@ -108,7 +108,7 @@
}
}
// Add the new setting
$DB->insert(
$DB->unsafeInsert(
'Config',
[
'ConfigID' => $ConfigSettingsID, // FK to ConfigSettings.
Expand Down