Latte and Invalid Unicode

[rkocman]

Version: 2.6.0 (and all previous?)

Bug Description

If the content of a page is acquired from various sources, it may happen that it contains some invalid Unicode. However, when Latte encounters the invalid Unicode, it starts to behave rather unpredictably (for a tool that should help with the output printing).

Steps To Reproduce

Consider the following demo:

composer require tracy/tracy
composer require latte/latte

index.php:

<?php
require_once __DIR__.'/vendor/autoload.php';
Tracy\Debugger::enable();
$template = __DIR__.'/test1.latte';
//$template = __DIR__.'/test2.latte';
//$template = __DIR__.'/test3.latte';
$latte = new Latte\Engine;
$latte->render($template);

and the following templates:
test1.latte:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Latte Test</title>
  </head>
  <body>
    Welcome!<br>
    {var $validC="Valid codepoint: \u{30A2}."}
    {var $valid8="Valid UTF-8: \xE3\x82\xA2."}
    {var $invalidC="Invalid codepoint: \u{D800}."}
    {var $invalid8="Invalid UTF-8: \xE3\x80\x22."}
    1. {$validC}<br>
    2. {$valid8}<br>
    3. {$invalidC}<br>
    4. {$invalid8}<br>
    5. {$invalidC|noescape}<br>
    6. {$invalid8|noescape}<br>
    End.
  </body>
</html>

test2.latte:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Latte Test</title>
  </head>
  <body>
    Welcome!<br>
    {var $validC="Valid codepoint: \u{30A2}."}
    {var $valid8="Valid UTF-8: \xE3\x82\xA2."}
    {var $invalidC="Invalid codepoint: \u{D800}."}
    {var $invalid8="Invalid UTF-8: \xE3\x80\x22."}
    <script>
    //1. {$validC}<br>
    //2. {$valid8}<br>
    //3. {$invalidC}<br>
    //4. {$invalid8}<br>
    //5. {$invalidC|noescape}<br>
    //6. {$invalid8|noescape}<br>
    </script>
    End.
  </body>
</html>

test3.latte:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Latte Test</title>
  </head>
  <body>
    Welcome!<br>
    {var $validC="Valid codepoint: \u{30A2}."}
    {var $valid8="Valid UTF-8: \xE3\x82\xA2."}
    {var $invalidC="Invalid codepoint: \u{D800}."}
    {var $invalid8="Invalid UTF-8: \xE3\x80\x22."}
    <style>
    /*1. {$validC}<br>*/
    /*2. {$valid8}<br>*/
    /*3. {$invalidC}<br>*/
    /*4. {$invalid8}<br>*/
    /*5. {$invalidC|noescape}<br>*/
    /*6. {$invalid8|noescape}<br>*/
    </style>
    End.
  </body>
</html>

In test1, the output of 3. and 4. is completely discarded and nothing is printed.
In test2, a runtime exception "Malformed UTF-8 characters" is raised.
In test3, everything is printed as it is without any modifications.

Expected Behavior

Some examples how (not) to handle the invalid Unicode can be found here:
http://unicode.org/reports/tr36/#Deletion_of_Noncharacters
http://unicode.org/reports/tr36/#Illegal_Input_Byte_Sequences
http://unicode.org/reports/tr36/#Some_Output_For_All_Input
Most prominently, web browsers replace the illegal byte sequences with the replacement character U+FFFD.
From my point of view, it is undesired to discard the whole string or to raise the exception.

Possible Solution

The problematic part of the code seems to be located in Latte/Runtime/Filters, where htmlspecialchars and json_encode are used.
If you look at the documentation:
https://www.php.net/manual/en/function.htmlspecialchars.php
https://www.php.net/manual/en/function.json-encode.php
there are flags ENT_SUBSTITUTE and JSON_INVALID_UTF8_SUBSTITUTE that can handle the situation.

As a side note, in Tracy/Helpers the HTML content is already being escaped with ENT_SUBSTITUTE.

[dg]

Tracy and Latte are different cases. Tracy has no idea what encoding is used on input and it tries to output something in UTF-8 :-)

Latte, on the other hand, assumes that the input is valid UTF-8, so it treats errors draconically. It means exceptions in case of JSON and discarded output for text. It is true that in the case of CSS the UTF validity check is missing.

But I agree that it would be better to substitute invalid characters with U+FFFD in case of HTML, because there is no other way to figure out the errors (htmlspecialchars does not report any errors).

In case of JSON I would stay with exceptions, because it is a way for the programmer to know about the error.

[rkocman]

If the valid UTF-8 is required, then fair enough.
However, from my point of view, when I print something with Latte, I have already done all my prepossessing, and I want to simply print the content on the given place.
If I want to know specifically about invalid characters, I can do a prior check myself.
In the current state, if I don't want Latte to fail, I need to either check all printed content for invalid Unicode or re-implement Latte/Runtime/Filters.
Is this really a common case that you want a template engine to rather fail on invalid characters?

[dg]

I have no idea where you want to get with these questions. Let's talk to the point.

for HTML: I agree that substitute will be better than current discard.
for CSS: Well, substitution could be added here.
for JSON: It would be possible to replace exceptions with substitution + E_WARNING. But I think it's a solution to a problem that no one has.
for non-escaped-output: Substitution could be added here too. The question is if it is really useful, because of course it has a small impact on performance.

[rkocman]

Yes, such a solution works for me.

On the question whether thoroughly substitute all invalid characters, I am really not sure since I can't make a qualified estimate on the impacts. For my specific project, the results make no difference, since web browsers can handle invalid characters themselves.

On "where you want to get with these questions", I just prefer to have tools with predictable behavior. We actually found this bug by accident, when we printed a string from an outside source into JS in Latte and in some rare cases the page went 500.

[dg]

I understand. So from my point of view, I want the template system to fail on invalid characters. Because input check is nontrivial.

[rkocman]

Some additional notes:

1. There are other parts of the code that do not fully work as intended (in border cases), when a potentially invalid Unicode is considered. Take for example this code from Latte/Runtime/Filters:

public static function escapeXml($s): string
{
    $s = preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]+#', '', (string) $s);
    return htmlspecialchars($s, ENT_QUOTES | ENT_XML1 | ENT_SUBSTITUTE, 'UTF-8');
}

The idea is to remove unwanted characters like \x08 from the result, but in the current order it can also "repair" invalid sequences. Example:

<?php
$s = "\xc4\x08\x9b";
echo('|raw:'.$s);
echo('|latte:');
$sw = preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]+#', '', (string) $s);
echo(htmlspecialchars($sw, ENT_QUOTES | ENT_XML1 | ENT_SUBSTITUTE, 'UTF-8'));
echo('|xml:');
echo(htmlspecialchars($s, ENT_QUOTES | ENT_XML1 | ENT_SUBSTITUTE, 'UTF-8'));
echo('|reversed:');
$sw = htmlspecialchars($s, ENT_QUOTES | ENT_XML1 | ENT_SUBSTITUTE, 'UTF-8');
echo(preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]+#', '', (string) $sw));

2. The second note does not concern Latte directly, but it is aimed to Nette in general. When it comes to the input sanitation and current best practices, it looks like that Nette deliberately chooses the now rather discouraged way that removes invalid symbols from the input. Is this intended for some specific reason, or maybe it is just a relic for backward compatibility? I can see some potential benefits in certain cases, e.g., form inputs in which users can fill some problematic symbols by accident. But this practice affects all parts of the system. This leads to situations where, e.g., routers inside the system do not distinguish between canonical paths like:
   https://latte.nette.org/en/guide
   and potentially malicious paths:
   https://latte.nette.org/en/gu%c8%c8%c8%c8%c8ide
   Of course, in this case, the intended page is obvious, and until all parts of the system use Http/Request all is fine. But I can also see some potential security drawbacks concerning other libraries that could use the raw REQUEST_URI.
   I am not saying that this needs to be changed, I am just curious.

[dg]

ad 1) Good point, if escapeXml() returns FFFD character for invalid UTF-8, it should return it also for C0 characters.

ad 2) Behind this is some historical development. Nette used to be draconian once, throwing away all the invalid inputs, but it turned out to be problematic. I remember someone had a secretary in the office who was writing so fast that she occasionally typed an escape sequence (wtf?), there were a lot of CMSs that were damaging URLs, etc., so Nette gradually returned to remove unwanted characters. However, a change in behavior is planned, but requires some architecture changes, so it will come in the next release. nette/http#41