Improper handling of Scriban conditional operators in Report Components

Question

Improper handling of Scriban conditional operators in Report Components

mseckar opened this issue 5 months ago · 12 comments

When generating a Report using a Report Template containing a Report Component with Scriban conditional operator >, <, >=, <= or &&, the UI freezes and we obtain the following error:

System.InvalidOperationException: This template has errors. 
Check the <Template.HasError> and <Template.Messages> before evaluating a template. 
Messages: <input>(18,28) : error : Invalid token found `&`. 
Expecting <EOL>/end of line. at Scriban.Template.CheckErrors() at 
Scriban.Template.EvaluateAndRenderAsync(TemplateContext context, Boolean render) at 
Scriban.Template.RenderAsync(TemplateContext context) at 
Cervantes.Web.Controllers.ReportController.GenerateNewReport(ReportCreateViewModel model) in 
/src/Cervantes.Web/Controllers/ReportController.cs:line 851

We believe that the operator signs < and > are being sanitized to < and >, respectively. This can be seen by opening the Source Code view of the Report Component in TinyMCE.

Steps to reproduce:

Create a Report Component containing the following string:

{{if 1 < 2}}
test
{{else}}
test2
{{end}}

Attach the Component to a Report template
Create a Report using the aforementioned Report template
The UI will become unresponsive
Check the logs for error message

Creds to @jstangle for the initial discovery.

Answer 1 · 2024-07-30T18:51:49.000Z

Hi @mseckar and @jstangle thanks for reporting the issue I will take it look and I will let you know :)

Thank you
Best regards

Answer 2 · 2024-08-01T10:06:33.000Z

Hi @mseckar and @jstangle I found the issue and I think is fixed I created a dev image if you want to test it before to commit the changes :)

git clone https://github.com/CervantesSec/docker.git

After that you need to start your docker containers:

docker-compose -p cervantes -f docker-compose-dev.yml up -d

Thank you :)
Best regards

Answer 3 · 2024-08-01T11:41:33.000Z

Hi @mesquidar, thank you for your quick solution. I can confirm it is working. I will do some additional tests and let you know.

Regards,
Jan

Answer 4 · 2024-08-01T13:06:50.000Z

Hello @mesquidar, the fix LGTM, all operators pass.

Thanks for the quick response.
Best regards

Answer 5 · 2024-08-01T14:17:53.000Z

Perfect thank you both for confirming, I will commit the changes and close the issue :)

Best regards

Answer 6 · 2024-09-12T07:46:50.000Z

Hi @mesquidar, unfortunately this bug seems to be back again. Old unedited components and templates work fine but new ones with conditional operators behave the same as before.

Answer 7 · 2024-09-12T08:41:18.000Z

Hi @jpostolk let me take it a look :)

Answer 8 · 2024-09-12T09:31:36.000Z

Hi @jpostolk It should be fixed again. When we updated the sanitizer method it broke the components part again.
There's already a new image available with fix :)

Thank you
Best regards

Answer 9 · 2024-09-12T17:32:19.000Z

Hi, thank you very much for the quick fix :)

Answer 10 · 2024-09-27T13:41:10.000Z

Hi @mesquidar, unfortunately this seems to be broken again.

Best regards,
Jonas

Answer 11 · 2024-09-27T14:10:00.000Z

Hi @jpostolk I checked it and this time it seems it was Premailer.net (library that process and move the css inline) that encodes the characters and makes scriban break. It should be fixed again and a new image it's already available :)

Thank you
Best regards

Answer 12 · 2024-10-02T07:39:40.000Z

Thanks @mesquidar, we have verified the fix, and it is now working well. :)