We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

I think I managed to "inject" bad data into my 'menutitle' field

    • 6705
    • 79 Posts
    david55 Reply #1, 14 years, 6 months ago
    Oh dear..

    I think I’ve managed to "inject" bad data into my ’menutitle’ field in one of my pages (on MODx 0.9.6.3). sad

    I was writing a page to explain what to do in case users encountered a particular computer error (when using another application, not MODx), and so I made this the ’menutitle’ for my page:

    "functionOne()->otherfunction();" error


    (The above is the exact format of my menutitle field, including the double-quotes and the other symbols. I’ve changed the names of the functions in the error message here, because this is a real error message (for another application, not MODx) and I don’t want this page to frustrate real users of that application who are searching the web for information about the error message.)

    Unfortunately, this caused the ’menutitle’ field to become horribly confused when I saved my page. i quickly changed the ’menutitle’ to something more safe ("SAFE-TEXT error" (again, I have changed the wording here, and there are no literal double-quotes in the string this time)), but still when viewing the page, the menu title displays as:

    otherfunction();" error" >SAFE-TEXT error


    You can see that the menu title now has part of the previous bogus menu title prefixed to it (along with a double-quote, space, greater-than).

    Yet, in the MODx editor, and when looking up the ’menutitle’ field for the page in question in my database, it only contains (as intended):

    SAFE-TEXT error

    I’ve obviously managed to deposit some junk into my database, does anybody have any idea how I might find where it went, and remove it?

    (A light bulb illuminates, a short amount of time passes..)

    Ah, looking at the page source, I now see what’s going on:

    (And there’s no junk in my database that I now can’t get rid of)

    <a href="/errorpage.html" title=""functionOne()->otherfunction();" error" >SAFE-TEXT error</a>



    Yep, my double-quotes have broken out of the HTML ’title’ attribute, and then the following greater-than has been parsed as the HTML element name closure, with the following text rendered as part of the actual link text.

    The problem therefore appears to be that MODx isn’t making the "Title" and/or "Long Title" and/or "Menu Title" fields HTML-safe, and is saving them in the database as-is (rather than with characters converted to HTML entities where necessary).

    (I’ve now made safe the data in these fields for the page in question)


    Does anybody know if this situation is still present in newer MODx releases?
    Should I submit a bug report?

    (OK, we computer geeks know that some characters are often unsafe and that it’s unlikely to be a Good Idea to try to use them, but even if we learn to avoid them, it’s likely that typical end-users will still continue unknowingly..)


    [Edited to clarify some of my wording, which may have been confusing]
      Please don't PM me unless it's absolutely essential: if a technical question is worth asking, it's worth asking in public, so that others can share their experience, and so that all can learn from the answers.