Cannot submit any special character in translation

I am not inclined to fix this the language string interface is for quick & dirty fixes, if you want anything fancy export, edit, import.

I think that this issue is bug.
So, accept this patch to fix it.

I think that it's processing necessary to prevent XSS(or other attack) that encodes “&" to the character entity before storing to DB.

Try this patch if you don't want to encode '&'.

Committed to HEAD.

thanks.

The root of the issue is in check_plain().
So, accept this patch to fix it again.

Storing it after the special character is converted to character entity is not a issue.
However, character entity can't be used in the text as long as the patch is not applied.

Please provide a few specific test cases and what is expected to be stored in the database and output to the screen.

I've backported the patch that drumm committed.

Jax's opinion are "how to store the entered strings in DB", but the issue that I judged is "how to output the entered character entity".
I decided to report as another issue.
Because, I think that "how to store the entered strings in DB" is not a problem, and it seems to differ from **Jax's** issue.

All these solutions are essentially horrible. Patching check_plain() is bad because it applies globally, and doesn't give you the benefit of using HTML, but still just forces you to double escape HTML entities when talking about them.

The root of the problem is that the text passed into t() can be both plain-text as well as HTML. Because there is no reliable way to distinguish the two, we should just remove the call to filter_xss_admin() on locale import. It is obviously causing problems.

We really can't reliably clean up imported locale strings. At most we can come up with hacks that will work in most cases. But I think it's better to just remove it from core.

Perhaps a better approach is simply to make a locale checker script that throws warnings? We could use the following snippet to reliably detect possibly bad strings, without false negatives:

if (decode_entities($value) != decode_entities(filter_xss_admin($value))) { /* possibly bad value */ }

This would not cause problems when a lone ampersand is used in a string, but still throw errors when bad stuff is included. We can't use a similar snippet on import though, because it does not preserve HTML validity of the value.

This issue doesn't exist only in t(). It's necessary to recognize exist in also all functions through the check_plain().

This issue doesn't exist only in t().
It's not only t () this issue exists.

No, it is wrong recognition.
Well, there is no problem if '&' is used alone. However, '&' will be used as a part of '&gt' and '&lt'(and much more) of character entity.
Therefore, the problem occurs if '&' is doubly encoded in check_plain().

There is no need to use HTML entities inside check_plain()'d text. You can already use any unicode character directly.

The actual problem here has already been described. Locale assumes its strings are all HTML, which is not true.

If you want to keep existing bug, I stay out of this issue.

It's effective only at first time post, even if the patch of #19 is applied.
It's converted into character entity when editing again and enters the text area.
Therefore, patch of #19 is not too important.

There were indeed more calls to filter_xss_admin() elsewhere. Attached a patch to remove them all, including the str_replace.

I think this should be fixed and looks okay. Any objections? Security review?

Rerolled without parse error. Will review.

Right now we have two permissions that enable a user to gain more privileges:

1. administer users
2. administer access control

That these two permissions can be used to escalate someone's access is quite obvious. That is not true for the administer locales permission, however.

Now, I know that the administer locales permission will not be handed out that often, but if you have a permission it should sharply define what is possible.

I see several options:

1. Won't fix the current double escape problem.
2. Remove string editing from core all together.
3. Make it obvious that administer locales is a 'dangerous' permission.
4. Tie administer locales to another permission.
5. Patch goes in as is.
6. ?

Killes alerted me to the fact that this patch combined with our CVS translation policies allow malicious CVS account holders to execute XSS attacks via our .po files:

I had added this filtering during March when I noticed that imported
files could be used to insert xss. Our PO files are not reviewed or
protected in any way and malicious cvs account owners could add evil XSS
stuff to any PO file, even core PO files.

I realize malicious CVS account holders can do harm via their own modules, but never they cannot taint core or other modules atm.

So a -1 on this patch *until* we fix our CVS policies and work out the issues I mentioned above.

Where translations come from is a matter of trust... holding this patch because the necessary CVS scanning infrastructure is in place is kind of silly. That's like saying we should keep module installation broken because someone might post an insecure one.

Whether or not a module can 'taint core' is stupid. A module could easily leave behind PHP code in a node or block to do its bidding after it's been uninstalled too, or a module could even insert malicious translation strings itself on install.

As I already said before, the following test can be used to detect possibly bad translation strings. It should not have any false positives. But it is only a test, not a transformation, as it destroys valid HTML.

if (decode_entities($value) != decode_entities(filter_xss_admin($value))) { /* possibly bad value */ } 

Either we build a scanning script for cvs, or we add this check to Drupal core when importing. I cannot guarantee that this will never give any false positives, although for the typical cases of translatable strings, it should not be a problem. It should certainly not let any XSS through.

However, I believe we should treat this as a separate issue. This patch itself fixes a bug when importing and editing locales, namely that some strings are irreversibly corrupted.

IMO this is a "won't fix". We do not have any strings on core that have & for the menu.

Should I revert the previously applied patch?

Steve: you're not making much sense. If %value placeholders are used, the output is HTML and should be printed as such. Forms API just passes through the #description strings, it does not escape them.

Anyway. Discussed with Dries: the filter_xss calls are removed. We will look at an xss safeguard for .po files for 6.0 or for contrib, but this is a highly theoretical attack vector. There are much easier ways to screw up Drupal sites, and we have our hands full already.

Steve: come again?