Module Output is not Escaped

[AmyStephen]

@eddieajau asked that I raise this issue with the CMS.

joomla/joomla-platform#769 (comment)

In the "Deprecate JView::escape()" pull request, it was proposed that the escape method be deprecated. I agreed, primarily on the basis that JView scope limits it's usefulness to Component Views. Further, I pointed out that no module output is escaped in Joomla core and I wonder if it's related to the lack of availability of this method.

IMO, it would make sense to either remove the method from JView, or relocated it where frontend devs can use it in all rendered output, including components, but also templates and modules.

Regardless, module output should be escaped. If the JView::escape method cannot be used, using PHP methods is sufficient, but it really should be done.

http://shiflett.org/blog/2005/feb/my-top-two-php-security-practices

[eddieajau]

Actually I didn't ask, was just pointing out an issue that wasn't relevant to the platform. For what it's worth, it's very easy to reconfigure a module to use jview. There is no need to relocate anything, just use the published API that exists already.

[AmyStephen]

For clarification, Andrew's comment that prompted my issue report joomla/joomla-platform#769 (comment)

@eddieajau - how can JView be used with a module? When I attempt to use the method statically, I get this error:

Fatal error: Using $this when not in object context in /Users/amystephen/Sites/joomla-cms/libraries/joomla/application/component/view.php on line 441

Fatal error: Access to undeclared static property: JLoader::$classes in /Users/amystephen/Sites/joomla-cms/libraries/loader.php on line 189

How do you recommend this be done?

[eddieajau]

@AmyStephen the error you are seeing is telling you that you are using a method statically that was never designed to be used statically. Both the Platform and CMS are now PHP 5 so unless a method is declared statically, you should not use it that way (in Eclipse, the code-assist will only show methods explicitly declared static when used in that context). An example of how you can use JView in a module can be found here:

https://github.com/eddieajau/joomla-hello-world/blob/master/modules/mod_hello/mod_hello.php

[ if you sign up for my training I'll explain why :) ]

In practice you wouldn't include the class in the module file but in it's own file and then use a require_once statement or, better, register the class with JLoader::register. It's a bit rough but it gets the job done. As I explain in my training, the major advantage in doing it this way is that you design layouts for components and modules in the same way so you get the escape method and also cool things like $this->baseurl, etc. There are some Easter eggs in the layout of that example module as well, but I'll leave you to find them :)

As for a recommendation, I'm agnostic about whether you use JView or just apply a quick fix with htmlspecialchars. Either will work.

[AmyStephen]

The problem exists in 1.5 as well as 2.5. I hope it's fixed before release. It's an important issue.

[eddieajau]

Talk to the JBS about how they want to handle it.

[AmyStephen]

@eddieajau - This is an issue report for the JBS. I have reported the problem. I am certain they will handle this appropriately. If you wish to talk to me further, please use email.

[eddieajau]

They will probably want you to raise the issue on the JoomlaCode tracker.

[brianteeman]

Thanks for reporting this. At this time we are only using github as the place to submit code fixes so I am closing the report here. The actual reporting of issues and testing fixes is still taking place on Joomlacode.

As it has been some time since you opened this issue can you please confirm that it is still valid with the current Master or Joomla 3.2 beta.

If it is still valid please can you open an item on the Joomlacode tracker in the appropriate area.

CMS Bug Reports: http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemBrowse&tracker_id=8103

CMS Feature Requests: http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemBrowse&tracker_id=8549