tags removed when Template Configuration is saved

[Adiehm]

Steps to reproduce the issue

The Template I'm using allows the inclusion of custom code to be inserted at various points eg after head tag. Anything enclosed in <> is stripped off when the template config is saved eg <script>

It's not specific to the template I'm using as the same issue exists in the template Beez. If you change the default Site Title from Joomla! to <Joomla!> This results in an empty Site Title.

Expected result

Anything enclosed in <> should be retained

Actual result

Anything enclosed in <> is stripped upon save

System information (as much as possible)

Joomla 3.9.25 PHP 7.4.15 mysql 5.6.51

Additional comments

I've tested this on 3 different websites on 2 different hosting services and I get the same result

[brianteeman]

This is by design for security purposes

[Adiehm]

That's not a particularly good situation - I'm sure there are many Templates that allow for the insertion of code for Meta data, Google Tag manager, OG Tags etc. These are now all stripped out if the template is modified. Storing the template config in the template_styles table would seem to be the by design solution.

This has literally broken 100 or so websites that I look after.

I don't see the security risk. If website developers and/or owners want to do this it should be their choice to do so.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32664.}

[brianteeman]

The beez template field that you refer to has a "string" filter on the input and it has done so for at least 4 years. So you are trying to taste an orange by biting an apple.

If your template has any input fields you should check and see what filter is set. That's where your problem lies.

You can find the list and definition of filters here https://docs.joomla.org/Retrieving_request_data_using_JInput#Available_Filters

[Adiehm]

Thanks - I understand the Input Filtering and I can see how Beez is different to what I'm seeing with the template I'm using.

I've been using the same template facility since Joomla 2.5 and never had this problem before. I have and old disused site running Joomla 3.9.19 that I just fired up and it works perfectly i.e. if you save the Template Config which is stored in the template_styles table it works perfectly. Any sites running 3.9.25 have this issue.

Something in the save template config area has changed in one of the latter versions of Joomla that is causing the problem. Its not an issue with the template. Having said that the Template mechanism may need to updated to suit a new regime in Joomla - but what has changed?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32664.}

[Adiehm]

I have spent some time testing J3.9.22 J3.9.23 J3.9.24 and J3.9.25 and I've confirmed the change was made in J3.9.25. Versions 22, 23 and 24 all work perfectly, Version 25 introduces the erroneous change.

I haven't as yet figured out exactly what has changed that is causing the problem but I see that Filtering has been applied in some of the files.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32664.}

[brianteeman]

Probably this https://developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html

[Adiehm]

Yes - The issue is being caused by the updated file \libraries\vendor\joomla\filter\src\InputFilter.php incorporated in version 3.9.25

I've raised a ticket with the template framework developers to address from their end.

In the mean time, temporarily reverting this file back to the 3.9.24 version will allow the Template Configuration to save successfully.

(comments added incase others have the same issue and need a temporary fix)