It seems like setAndSave shortcut method does not play well with an array of fields unput.

This code does not work:

$page->setAndSave(array(
    'next_action' => 'JustTest',
    'next_action_time' => time() + 12 * 3600,
));

This one does:

$page->setAndSave(array(
    'next_action' => 'JustTest',
));

and this one too (of course):

$of = $page->of();
$page->of(false);
$page->next_action = 'JustTest';
$page->save('next_action');
$page->next_action_time = time() + 12 * 3600;
$page->save('next_action_time');
$page->of($of);

Or I messed something up)

Affected software : Processwire CMS

Version : v.1.3.6

Type of vulnerability : XSS (Cross-Site Scripting)

Author : Noth

Description:
Processwire CMS is susceptible to cross-site scripting attacks, allowing malicious users to inject code into web pages, and other users will be affected when viewing web pages

PoC :

Step 1 : login system

Step 2 : Go to "/processwire/page/edit/?id=1"

Step 3 : insert "XSS" test grammar in "Titile" and save it.
XSS Payload : "><script>alert(document.cookie)</script>

Step 4 : Go back to the login system page

Test Video :
https://drive.google.com/file/d/1j06Id6IHf5aUOTnU8w9wSujjGLuX3Wn9/view?usp=sharing

• Don't submit issue reports here, they will be closed automatically. Instead submit ProcessWire issue reports to the ProcessWire issues repository.
• Please do not submit feature requests to the issues repository, instead use the ProcessWire feature requests repository.
• Please do not use the issues repository for ProcessWire support, instead use the support forum at https://processwire.com/talk/.
• Always include the full ProcessWire version (i.e. 3.0.34). Also include the PHP or MySQL version when potentially applicable.
• Indicate any 3rd party modules that are installed.
• When possible please confirm the issue on a separate installation before submitting an issue report.
• When the issue is resolved, please close it.

PW 3.0.33
Tracy 3.0.3

While Im trying to change field type from TextareaLanguage to Textarea i get notice from 483 line

Notice

Trying to get property of non-object search► skip error►

Source file

File: ...\domains\localhost\pw-clean\wire\core\Fields.php:483

473:            /** @noinspection PhpAssignmentInConditionInspection */
474:            while($row = $query->fetch(\PDO::FETCH_ASSOC)) $schema1[] = $row['Field'];
475:    
476:            $query = $database->prepare("DESCRIBE `$table2`"); // QA
477:            $query->execute();
478:            /** @noinspection PhpAssignmentInConditionInspection */
479:            while($row = $query->fetch(\PDO::FETCH_ASSOC)) $schema2[] = $row['Field'];
480:                
481:            foreach($schema1 as $key => $value) {
482:                if(!in_array($value, $schema2)) {
>>>483:                    if($this->config->debug) $this->message("changeFieldType loses table field '$value'"); 
484:                    unset($schema1[$key]); 
485:                }
486:            }

Also it creates table in DB named like "field_name_pwtmp".
If to turn off strict mode in Tracy settings and after removing of newly created temporary table, changing of field type could be done normally.

In this messege Adrian has already suggested a fix for it.

Change 483 line of wire/core/Fields.php to:

if($this->wire('config')->debug) $this->message("changeFieldType loses table field '$value'");

@gmclelland commented on Wed Aug 15 2018

Short description of the issue

When editing any page in the backend, I see the following error in my Google Chrome console:

ckeditor.js:253 Uncaught Error: [CKEDITOR.resourceManager.add] The resource name "mystyles" is already registered. at CKEDITOR.resourceManager.add (ckeditor.js:253) at mystyles.js?t=2015030801.160:9

Expected behavior

No errors

Actual behavior

Error is shown in the console, but everything seems to function okay. My custom styles for "Callouts" is included in the CkEditor's "Styles" dropdown.

Optional: Screenshots/Links that demonstrate the issue

CKEDITOR.stylesSet.add( 'mystyles', [
 { name: 'Inline Code', element: 'code' },
 { name: 'Inline Quotation', element: 'q' },
 { name: 'Left Aligned Photo', element: 'img', attributes: { 'class': 'align_left' } },
 { name: 'Right Aligned Photo', element: 'img', attributes: { 'class': 'align_right' } },
 { name: 'Centered Photo', element: 'img', attributes: { 'class': 'align_center' } },
 { name: 'Button', element: 'a', attributes: { 'class': 'button' } },
 { name: 'Button - Tiny', element: 'a', attributes: { 'class': 'button tiny' } },
 { name: 'Button - Small', element: 'a', attributes: { 'class': 'button small' } },
 { name: 'Button - Large', element: 'a', attributes: { 'class': 'button large' } },
 { name: 'Callout - Success', element: 'p', attributes: { 'class': 'callout success' } },
 { name: 'Callout - Warning', element: 'p', attributes: { 'class': 'callout warning' } },
 { name: 'Callout - Alert', element: 'p', attributes: { 'class': 'callout alert' } },
 { name: 'Callout - Primary', element: 'p', attributes: { 'class': 'callout primary' } },
 { name: 'Callout - Secondary', element: 'p', attributes: { 'class': 'callout secondary' } },
 { name: 'Small', element: 'small' },
 { name: 'Deleted Text', element: 'del' },
 { name: 'Inserted Text', element: 'ins' },
 { name: 'Cited Work', element: 'cite' }
]);

Setup/Environment

Server Details

Good day!

This is a feature suggestion.

I always look for a way to minimize the amount of fields in my PW installation, reuse them as much as I can. Template context help me a lot, but not with images.

This update made it possible to override more options in custom fields. Why not allow more options to override for core fields?

It would make image fields much more reusable, if we could override these options:

• Maximum Files Allowed,
• Formatted value,
• Min and Max Image demensions

The more the better) Is there anything preventing this?

Processwire Version: 3.0.89

A issue arises resulting of a problem in WireInput->setUrlSegment. My setup allows a URL Segment "logIn" (uppercase "i") which works nicely as long as I don't set pageNameCharset.

WireInput (around line 295) uses Sanitizer->name() to clean up the segment's name. As soon as I set $config->pageNameCharset='UTF8', Sanitizer->pageNameUTF8() is called.
As there are no "special" characters in the given segment, it hands over to Sanitizer->pageName() on line 473.
So different methods are used for cleaning up the string: In the regular case Sanitizer->name(), in the UTF8 case it's Sanitizer->pageName().

The results of the two functions differ: In my case the "logIn" is translated to "login" and the client is redirected to this page. As the "login" segment doesn't exist the redirect results into an error page.

I see the following possibilities:

• Let Sanitizer->pageNameUTF8() call $this->name on line 473
• remove the conversion to lower case at the end of Sanitizer->pageName()
• add another parameter to sanitizer->pageName() which allows the invoking method to decide if a lowercase conversion should be done.
• Create a single point for doing the filtering of (UTF8) characters and access this from different methods.

I don't understand why there are different functions name() and pageName() - shouldn't they do the same?
I have also seen some "punycode" handling in there: punycode is only relevant for hostnames - so why is there a punycode handling in the pageName() sanitizer?

I could submit patches but I'd like to know which way do go before I implement something, so please get in contact with me.

When getting an image file's information, the program does not care about XXE vulnerability, which could lead to sensitive information leakage or DoS attack.
In Pageimage class(wire\core\Pageimage.php), function getImageInfoSVG parses file without any sanitation ,whose content may contain attack vectors.

	protected function getImageInfoSVG($filename = '') {
		$width = 0;
		$height = 0;
		if(!$filename) $filename = $this->filename;
		$xml = @file_get_contents($filename);
		
		if($xml) {
			$a = @simplexml_load_string($xml)->attributes();

With php 5.5 and lower I'm getting Error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 123207680 bytes) (line 8 of when i try to do

echo '<pre>';
print_r( $page );
echo '</pre>';

on a template file.

Works fine with php 5.6 and up.
Also on PW 2.7 it works with php 5.3.

I'm on windows 10 x64 using ampps.

http://prntscr.com/qficmu this is " wire--modules--languagesupport--languagesupport-module"
http://prntscr.com/qficw1 this is datepicker lang changer

Now lang changer is not working but first one is working. Than date picker successfully saved but

when i change first one like en_US.UTF8 , second photo and scripts are work but datepicker not saved its not send date

Bug report:
When adding the permission "page-publish" , and logging in as a user that does not have that permission, the publish button will be removed, but only part way, and a set of links belonging to that button will still show.

System:
Clean install with pro drafts, and croppable image 3. ProcessWire 3.0.62

Browser:
Safari

Use Case:
Setting up a workflow where users can draft pages, but not publish them. (so that all content can be reviewed first)

Forum Link: https://processwire.com/talk/topic/17082-bug-when-adding-page-publish-permission/#comment-149976

After using $session->forceLogin($loginUser) the $user variable does not get updated before the page reload. But wire('user') function returns what is needed. It seems a little inconsistent. Is it supposed to be that way, or is it a bug?