Skip to content

fix(installer): fix broken Next button on non-form pages#1668

Merged
mambax7 merged 2 commits intoXOOPS:masterfrom
mambax7:fix/installer-next-button-broken
Mar 20, 2026
Merged

fix(installer): fix broken Next button on non-form pages#1668
mambax7 merged 2 commits intoXOOPS:masterfrom
mambax7:fix/installer-next-button-broken

Conversation

@mambax7
Copy link
Collaborator

@mambax7 mambax7 commented Mar 20, 2026
edited by coderabbitai bot
Loading

Summary

  • json_encode() on the Next button's onclick wraps the URL in double quotes, which clash with the HTML attribute's double quotes
  • The browser parses onclick="location.href="http://..." as a truncated attribute, making the button non-functional
  • This blocks the installer at page_start.php — users cannot proceed past step 2
  • Fix: use single-quoted JS string inside the double-quoted attribute, matching the pattern used elsewhere in the codebase

Test plan

  • Run the XOOPS installer from scratch
  • Verify the Next button works on page_start.php (and all other non-form pages)
  • Verify form-based pages (with submit buttons) still work correctly

Summary by CodeRabbit

  • Bug Fixes
    • Fixed the installation wizard's "Next" button so it reliably navigates to the correct page when no form is present, improving URL handling and preventing broken or mis-parsed inline navigation behavior.

@mambax7
fix(installer): fix broken Next button on non-form pages
fae2bee 
json_encode() wraps the URL in double quotes, which clash with the
HTML onclick attribute's double quotes, causing the browser to parse
the attribute incorrectly. The Next button becomes non-functional,
blocking the installer at page_start.php.

Use single-quoted JS string inside the double-quoted HTML attribute
instead.
Copilot AI review requested due to automatic review settings March 20, 2026 04:14
@coderabbitai
Copy link

coderabbitai bot commented Mar 20, 2026
edited
Loading

Walkthrough

Adjusted the install wizard "Next" button inline JavaScript so the computed pageURI("+1") value is emitted as a single-quoted JavaScript string literal in the location.href assignment instead of an unquoted expression.

Changes

Cohort / File(s) Summary
Install template change
htdocs/install/include/install_tpl.php		 Rewrote the Next button's onclick handler to assign location.href using a single-quoted JS string literal around the rendered pageURI("+1") value (fixes HTML attribute/JS quoting of the inline script).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the main change: fixing a broken Next button on installer pages that lack form elements.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes the XOOPS installer “Next” button on non-form pages by correcting how the target URL is embedded into the button’s onclick handler so the browser parses it correctly and navigation works (notably on page_start.php).

Changes:

  • Update installer template to generate a valid onclick navigation expression for non-form wizard pages.

htdocs/install/include/install_tpl.php Outdated
<div class="text-end mt-4">
<button class="btn btn-lg btn-success" type="<?php echo !empty($pageHasForm) ? 'submit' : 'button'; ?>"
<?php if (empty($pageHasForm)): ?>onclick="location.href=<?php echo json_encode($wizard->pageURI('+1')); ?>"<?php endif; ?>>
<?php if (empty($pageHasForm)): ?>onclick="location.href='<?php echo $wizard->pageURI('+1'); ?>'"<?php endif; ?>>
Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new onclick builds a JavaScript string using a raw $wizard->pageURI('+1') value without JS/HTML escaping. Since pageURI() incorporates $_SERVER['HTTP_HOST']/PHP_SELF (see installwizard::baseLocation()), a crafted Host header or unexpected characters (e.g. a single quote) could break out of the JS string and/or attribute and enable XSS. Prefer generating the URL as a proper JS string via json_encode(...) and avoid the quote-collision by switching the HTML attribute to single quotes (or otherwise escaping for both JS + HTML contexts).

Suggested change
<?php if (empty($pageHasForm)): ?>onclick="location.href='<?php echo $wizard->pageURI('+1'); ?>'"<?php endif; ?>>
<?php if (empty($pageHasForm)): ?>onclick='location.href=<?php echo json_encode($wizard->pageURI("+1")); ?>'<?php endif; ?>>

Copilot uses AI. Check for mistakes.
@codecov
Copy link

codecov bot commented Mar 20, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 19.19%. Comparing base (f23a9d6) to head (f679f03).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files 
@@              Coverage Diff              @@
##             master    #1668       +/-   ##
=============================================
+ Coverage          0   19.19%   +19.19%     
- Complexity        0     7448     +7448     
=============================================
  Files             0      620      +620     
  Lines             0    39085    +39085     
=============================================
+ Hits              0     7501     +7501     
- Misses            0    31584    +31584

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai[bot]
coderabbitai bot requested changes Mar 20, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@htdocs/install/include/install_tpl.php`:
- Line 185: Escape the URL output in the onclick attribute by wrapping the
$wizard->pageURI('+1') call in htmlspecialchars to prevent XSS; replace the raw
echo with htmlspecialchars($wizard->pageURI('+1'), ENT_QUOTES | ENT_HTML5)
(keeping the single-quote attribute form) so the onclick uses a safely-escaped
URL.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 499029ef-a38d-4677-9bf6-fc086b3fdd2c

📥 Commits

Reviewing files that changed from the base of the PR and between 71d8a98 and fae2bee.

📒 Files selected for processing (1)
  • htdocs/install/include/install_tpl.php

@mambax7
fix(installer): escape URL output in onclick to prevent XSS
f679f03 
Use json_encode() for proper JS escaping and single-quoted HTML
attribute to avoid double-quote clash. Addresses review feedback
from Copilot, CodeRabbit, and SonarCloud about unsanitized
user-controllable data from $_SERVER in pageURI().
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 20, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

coderabbitai[bot]
coderabbitai bot reviewed Mar 20, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
htdocs/install/include/install_tpl.php (1)

185-185: ⚠️ Potential issue | 🟠 Major

Line 185: onclick remains unsafe in HTML attribute context.

json_encode() alone is not sufficient here. Because the attribute is single-quoted, an apostrophe in pageURI() output (derived from $_SERVER['HTTP_HOST']) can still break the attribute and reopen XSS/malformed-HTML risk.

🔧 Proposed fix 
-                                            <?php if (empty($pageHasForm)): ?>onclick='location.href=<?php echo json_encode($wizard->pageURI("+1")); ?>'<?php endif; ?>>
+                                            <?php if (empty($pageHasForm)): ?>onclick="location.href=<?php echo htmlspecialchars(json_encode($wizard->pageURI('+1'), JSON_HEX_APOS), ENT_QUOTES, 'UTF-8'); ?>"<?php endif; ?>>
In PHP, does json_encode() escape single quotes by default, and how does JSON_HEX_APOS affect the output?

As per coding guidelines: "Escape all output with htmlspecialchars($value, ENT_QUOTES, 'UTF-8') or use Smarty auto-escaping".

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@htdocs/install/include/install_tpl.php` at line 185, The onclick attribute
uses json_encode($wizard->pageURI("+1")) which doesn't guarantee safety for
single-quoted HTML attributes (an apostrophe in pageURI from
$_SERVER['HTTP_HOST'] can break the attribute); update the output for the
onclick in install_tpl.php to safely escape the URI — either run the pageURI
result through htmlspecialchars(..., ENT_QUOTES, 'UTF-8') before emitting or
call json_encode with JSON_HEX_APOS and still wrap with htmlspecialchars to be
extra-safe; adjust the conditional that checks $pageHasForm and the onclick
emission around $wizard->pageURI("+1") so the rendered attribute cannot be
broken by unescaped apostrophes or other special chars.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@htdocs/install/include/install_tpl.php`:
- Line 185: The onclick attribute uses json_encode($wizard->pageURI("+1")) which
doesn't guarantee safety for single-quoted HTML attributes (an apostrophe in
pageURI from $_SERVER['HTTP_HOST'] can break the attribute); update the output
for the onclick in install_tpl.php to safely escape the URI — either run the
pageURI result through htmlspecialchars(..., ENT_QUOTES, 'UTF-8') before
emitting or call json_encode with JSON_HEX_APOS and still wrap with
htmlspecialchars to be extra-safe; adjust the conditional that checks
$pageHasForm and the onclick emission around $wizard->pageURI("+1") so the
rendered attribute cannot be broken by unescaped apostrophes or other special
chars.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 71edd4c4-8063-4a7c-9b4b-90eaf4a81b39

📥 Commits

Reviewing files that changed from the base of the PR and between fae2bee and f679f03.

📒 Files selected for processing (1)
  • htdocs/install/include/install_tpl.php

@mambax7 mambax7 merged commit 26f44e4 into XOOPS:master Mar 20, 2026
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mambax7