Escaping a string to pass to flash() causes a PHP warning

[AurelioDeRosa]

I'm using Klein 2.0.2 and in a function I have:

$service->flash('my message' . $service->escape($request->data), 'info');

While trying the robustness of the code, I set $request->data to <script> which is converted into %3Cscript%3E and this is the message I receive:

Warning: vsprintf(): Too few arguments in XXX\vendor\klein\klein\Klein\ServiceProvider.php on line 239

I've noted that even without calling $service->escape() the issue is still there because the parameter has already been escaped.

Hope this helps.

[Rican7]

Interesting. The error you're getting is referring to the markdown() method in the ServiceProvider, as you can see here: https://github.com/chriso/klein.php/blob/6e1f228ce82333b437402dafad049713eb3eeac6/Klein/ServiceProvider.php#L239

I don't see where you are calling markdown() in your example.

[AurelioDeRosa]

Indeed I don't call it, and yes...this is really interesting.

[Rican7]

Ah ha!
I see why the error is happening. If you pass a string to markdown() it calls vsprintf(). Since the printf() family of functions use %x (where x is a modifier) as notation for string replacements, it makes sense that its causing an error when you pass a string containing % characters.

I've fixed this locally on a branch of mine by escaping the % characters before passing them in.

You must be calling markdown() somewhere in your chain. There's no other way that you'd get that error or line-trace.

[AurelioDeRosa]

I'm sorry but I really don't use that method. Anyway, if you want you can create a release with this fix so that I can update my vendor folder, and then I'll inform you of the result.

[Rican7]

Hmm, the problem is that escaping the % signs means it'll no longer allow for template string parsing.
Its a regression.

I won't be able to release this without a more clever fix.

[Rican7]

For reference: http://stackoverflow.com/questions/3666734/php-sprintf-escaping

[AurelioDeRosa]

I see. Do whatever is best for the project, I've solved this issue as shown below:

$service->flash('my message' . $service->escape(strip_tags(urldecode($request->data))), 'info');

[Rican7]

There you go!
👍

Now if only we could figure out how you're ever even reaching line 239 in the markdown() method...

[nbish11]

@Rican7 I could be wrong, but isn't the flash() method calling the markdown() method behind the scenes?

[Rican7]

@nbish11 ohhhh yea. :P
Well that's strange. Damn.