Conversation
…uct-card-element-in-rich-editor
Up to standards ✅🟢 Issues
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| {% endif %} | ||
|
|
||
| <article class="leading-7 text-sm mb-10">{{ article.body|replace({' ': ' '})|raw }}</article> | ||
| <article class="leading-7 text-sm mb-10">{{ article.body|replace({'"': '"', '"': '"', '<': '<', '>': '>', '<': '<', '>': '>'})|raw }} |
There was a problem hiding this comment.
</article> closing tag
The original line ended with </article> (the element was self-contained on one line). The new version opens <article> but omits the closing tag, leaving it unclosed for the rest of the main content block. This creates invalid HTML — the tags section and <salla-comments> are now unintentionally nested inside the <article> element, and the outer </div> that closes .main-content is reached while <article> is still open.
| <article class="leading-7 text-sm mb-10">{{ article.body|replace({'"': '"', '"': '"', '<': '<', '>': '>', '<': '<', '>': '>'})|raw }} | |
| <article class="leading-7 text-sm mb-10">{{ article.body|replace({'"': '"', '"': '"', '<': '<', '>': '>', '<': '<', '>': '>'})|raw }}</article> |
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/views/pages/blog/single.twig
Line: 60
Comment:
**Missing `</article>` closing tag**
The original line ended with `</article>` (the element was self-contained on one line). The new version opens `<article>` but omits the closing tag, leaving it unclosed for the rest of the main content block. This creates invalid HTML — the tags section and `<salla-comments>` are now unintentionally nested inside the `<article>` element, and the outer `</div>` that closes `.main-content` is reached while `<article>` is still open.
```suggestion
<article class="leading-7 text-sm mb-10">{{ article.body|replace({'"': '"', '"': '"', '<': '<', '>': '>', '<': '<', '>': '>'})|raw }}</article>
```
How can I resolve this? If you propose a fix, please make it concise.| {% endif %} | ||
|
|
||
| <article class="leading-7 text-sm mb-10">{{ article.body|replace({' ': ' '})|raw }}</article> | ||
| <article class="leading-7 text-sm mb-10">{{ article.body|replace({'"': '"', '"': '"', '<': '<', '>': '>', '<': '<', '>': '>'})|raw }} |
There was a problem hiding this comment.
</> before |raw
The new replace map converts < → <, > → >, " → " immediately before |raw. If any part of article.body contains intentionally entity-encoded content — for example, a code snippet stored as <script>alert(1)</script> — it will now be injected as a live <script> tag in the rendered page. The unescaping should be scoped only to the specific product card web component attributes, not applied globally to the entire article body.
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/views/pages/blog/single.twig
Line: 60
Comment:
**XSS risk: unescaping `<`/`>` before `|raw`**
The new `replace` map converts `<` → `<`, `>` → `>`, `"` → `"` immediately before `|raw`. If any part of `article.body` contains intentionally entity-encoded content — for example, a code snippet stored as `<script>alert(1)</script>` — it will now be injected as a live `<script>` tag in the rendered page. The unescaping should be scoped only to the specific product card web component attributes, not applied globally to the entire article body.
How can I resolve this? If you propose a fix, please make it concise.
Sure, this was a temporarily workaround just for testing purposes |
|
/autoupdate |
Auto Update SummaryFailed Updates:
|
2 participants
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
What is the current behaviour? (You can also link to an open issue here)
What is the new behaviour? (You can also link to the ticket here)
Does this PR introduce a breaking change?
Screenshots (If appropriate)
Greptile Summary
This PR updates the blog single article template to support interactive product card web components in the rich editor by replacing HTML entities (
<,>,") with their literal characters before rendering the article body as raw HTML.</article>closing tag: The refactored line drops the</article>closer that was previously on the same line, leaving the element unclosed and producing structurally invalid HTML.|raw: Globally converting</>to</>across the entire article body then passing through|rawmeans any entity-encoded payload (e.g. from a code snippet in the article) will be injected as live HTML. The unescaping should be applied server-side only to the specific product card component elements.Confidence Score: 2/5
Not safe to merge — contains a missing closing HTML tag and a potential XSS vector in the article body rendering path.
Two P1 findings: a structural HTML bug (missing closing tag) and an XSS risk from blanket entity-unescaping before |raw. The XSS finding is on a public-facing blog page processed via |raw, which places it in P0 territory if merchant-created content can include entity-encoded payloads.
src/views/pages/blog/single.twig — the only material code change and the source of both findings.
Security Review
|rawinsingle.twig: Thereplacefilter now converts<→<,>→>, and"→"globally across the entirearticle.bodystring before|rawis applied. Any entity-encoded HTML (e.g., code examples stored as<script>) will be injected as executable HTML into the rendered page. The scope of this unescaping must be narrowed to only the product card component markup rather than the full article body.Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[article.body from rich editor] --> B[replace filter converts entities to literal chars] B --> C[raw filter bypasses Twig escaping] C --> D[Browser HTML parser] D --> E[Rendered as live HTML] F[Entity-encoded malicious payload in article body] -->|included| B B -->|entities decoded to actual tags| C C -->|injected as raw HTML| G[XSS executed in browser] style G fill:#ff4444,color:#fff style B fill:#ffaa00,color:#000Prompt To Fix All With AI
Reviews (1): Last reviewed commit: "Merge branch 'master' into feature/STD-1..." | Re-trigger Greptile