Monolog dependency fixed to lastest and Export to word Document fixed#215
Monolog dependency fixed to lastest and Export to word Document fixed#215asuquoe62-star wants to merge 3 commits into
Conversation
| apache2 \ | ||
| curl \ | ||
| mysql-client \ | ||
| pandoc \ |
There was a problem hiding this comment.
Love pandoc and I support this! But please add it to the main Dockerfile (in the repo root) if it is not already there too.
There was a problem hiding this comment.
Agree, @asuquoe62-star Can you add this to the commit? If not we can sync up on it or I can add it.
|
|
||
| function blis_word_export_docx($html_fragment, $file_prefix) | ||
| { | ||
| $pandoc_bin = trim((string)shell_exec('command -v pandoc')); |
There was a problem hiding this comment.
So - important note, but this won't work on Windows.
I'm not going to block the PR on this, since this happens elsewhere in the codebase too. But we definitely could have it work on Windows if we also shipped Pandoc in the runtime.
| $tmp_docx_base = tempnam(sys_get_temp_dir(), 'blis_word_docx_'); | ||
| if($tmp_html === false || $tmp_docx_base === false) | ||
| { | ||
| return false; |
There was a problem hiding this comment.
In this case (and probably all the other failure cases) you should be logging an error with the logger.
There was a problem hiding this comment.
If we return early here because tempnam failed for the second file, we might leave the first temporary file ($tmp_html) orphaned in the system's temp directory. We should ensure @Unlink($tmp_html) is called or consolidate the cleanup logic to prevent local storage bloat over time.
There was a problem hiding this comment.
That's good file hygiene, but it's not actually necessary. On Linux systems, and I assume macOS, /tmp is a tmpfs mount meaning that all of its files are stored in memory. When it's unmounted, the files disappear.
mitchell@kingsley:~$ mount | grep '/tmp'
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,nr_inodes=1048576,inode64,usrquota)The Windows temp dir does NOT do this as far as I know, so deleting files on that platform makes sense. However there is a cleanup utility that can run periodically on Windows that would clean these up.
Co-authored-by: Mitchell Rysavy <mitchell.rysavy@gmail.com>
| } | ||
|
|
||
| # Some callers still pass slashed payloads. | ||
| $normalized = stripcslashes($html_fragment); |
There was a problem hiding this comment.
Since stripcslashes is being used on raw $_REQUEST data that is eventually echoed back in the blis_word_send_legacy_doc fallback, we should be careful about XSS. If Pandoc isn't available, we are essentially rendering unsanitized HTML. It might be worth adding a step to strip <script> tags or sensitive event handlers here to secure the legacy export path. Somewhat of a fallback
| header('Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document'); | ||
| header('Content-Disposition: attachment; filename="'.$file_name.'"'); | ||
| header('Content-Length: '.filesize($tmp_docx)); | ||
| readfile($tmp_docx); |
There was a problem hiding this comment.
It's a good idea to call ob_end_clean() here before readfile(). If any PHP notices or stray whitespace were echoed earlier in the execution, they could prepend the file stream and corrupt the resulting .docx file structure.
3 participants
No description provided.