Embedded quote in restapi plugin html message

tdgjrb · December 20, 2022, 6:15pm

I am using the restapi AddCampaign call to automate campaign creation.

I have discovered that when the message argument contains HTML with quotes, the quotes get escaped with backslashes when written to the database, and this then breaks the email messages that are sent.

A simple example:

<div id="myData">
auto generated stuff
</div>

is stored in the database as:

<div id=\"myData\">
auto generated stuff
</div>

When the same data is entered via phpList Send a campaign page, the HTML is saved in the database without the quotes being escaped.

I am hoping there is something simple I can do with the data passed to the API to prevent this, but nothing I have tried makes a positive difference.

Any ideas or suggestions?

Thanks!

duncanc · December 20, 2022, 7:37pm

@tdgjrb I found the same problem and made a small change to one of the plugin files to remove backslashes at the start of the processing, see

github.com

bramley/phplist-plugin-restapi/blob/master/plugins/restapi/call.php#L7

      
        
            <?php
            
            
namespace phpListRestapi;
            
            
defined('PHPLISTINIT') || die;
            
            
// Remove the slashes added by phplist in magic_quotes.php
            $_REQUEST = stripSlashesArray($_REQUEST);
            
            
//Getting phpList globals for this plugin
            $plugin = $GLOBALS['plugins'][$_GET['pi']];
            
            
include_once 'includes/response.php';
            include_once 'includes/pdo.php';
            include_once 'includes/common.php';
            include_once 'includes/actions.php';
            include_once 'includes/lists.php';

tdgjrb · December 20, 2022, 7:54pm

Thanks Duncan! You’re the best.

I was actually looking at doing that just for the following line, but I am always a little reluctant to modify the distributed code for fear of unintended consequences.

phplist-plugin-restapi/plugins/restapi/includes/campaigns.php

public static function campaignAdd()
    {
        $sql = 'INSERT INTO '.$GLOBALS['tables']['message'].' (subject, fromfield, replyto, message, textmessage, footer, entered, status, sendformat, template, embargo, rsstemplate, owner, htmlformatted ) VALUES ( :subject, :fromfield, :replyto, :message, :textmessage, :footer, now(), :status, :sendformat, :template, :embargo, :rsstemplate, :owner, :htmlformatted );';
        try {
            $db = PDO::getConnection();
            $stmt = $db->prepare($sql);
            $stmt->bindParam('subject', $_REQUEST['subject'], PDO::PARAM_STR);
            ...
            $stmt->bindParam('message', stripslashes($_REQUEST['message']), PDO::PARAM_STR);
            $stmt->bindParam('textmessage', $_REQUEST['textmessage'], PDO::PARAM_STR);
            ...
            $stmt->bindParam('htmlformatted', $_REQUEST['htmlformatted'], PDO::PARAM_STR);
            $stmt->execute();
            $id = $db->lastInsertId();
            $db = null;
            self::campaignGet($id);
        } catch (\Exception $e) {
            Response::outputError($e);
        }
    }

I will go with your more global fix under the presumption that it has been in use without issues and that it may also prevent a similar issue with a different attribute.

Happy Christmas!