[OJS 3.2.1-1] Unable to save text input data when text contains specific words (like print and echo)

evangelos · October 2, 2020, 9:49am

Hello all,
we are facing an issue when we try to save text settings for a journal (Like Publishing Details, Key Information, Dedcription, etc…) and the text text contains specific words (like print and echo). Below you can find our OJS setup info, a description of the problem and how we tried to deal with it (with no success).

Application Version:
OS platform: Linux 5.4.0-40-generic #44-Ubuntu x86_64 GNU/Linux
OJS 3.2.1-1 (same problem occured with 3.2.1)
PHP Version: 7.4.8
Apache Version: Apache/2.4.41 (Ubuntu)
Database driver: postgres9
Database server version: PostgreSQL 12.4 (Ubuntu 12.4-0ubuntu0.20.04.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.3.0-10ubuntu2) 9.3.0, 64-bit

Description of issue: We are unable to save text data to database if text contains words like ‘print’ and ‘echo’ (possibly there are more words that can cause the same issue). When you press save button, the loading icon goes on forever (See screenshots). From the apache2 access logs we can see that the PUT request returned 200 but was empty (“PUT /index.php/test/api/v1/contexts/1 HTTP/1.1” 200 0")

Steps that led us to the issue: We installed OJS (for the first time) and an editor of ours tried to complete the Journal Settings in Masterhead tab. (Same error happens for all roles (Admin, editor, etc))

What we tried to resolve the issue: Updated OJS from version 3.2.1 to 3.2.1-1. Tweaked some settings of config.inc.php (mainly parameters related to encoding and logging). We also tried using the REST API to make requests but ended up with same results. We programmatically (SQL query) inserted text like print to database and after refreshing the page it was visible on webpage. But when we clicked save button same issue happened. We also enabled verbose database logging.
Something that we noted from the logs is that when we write the word ‘test’ for example it works fine and from the logs we get:'UPDATE journal_settings SET setting_value=‘test’ WHERE journal_id=‘1’ and locale=‘en_US’ and setting_name=‘about’
If from the other hand write the word ‘print’ nothing that has to do with setting_name=‘about’ is logged (some other setting_names like setting_name=‘abbreviation’ seem to be updated)

It seems to us that that this may be a PHP issue because print and echo are language constructs…but that is just a guesse. So the problems seems to be related not only to Journal settings but for all the text input fields of the webpage. Screenshot from 2020-10-02 11-33-47

If you wish, we can send you specific logs that you want to look upon.

Thank you all in advance,

Evangelos

asmecher · October 2, 2020, 2:48pm

Hi @evangelos,

If specific words like print and echo are being filtered, it’s definitely not something built into OJS – it’s probably a 3rd-party security tool, either on the server side (e.g. mod_security or similar) or the client side (a desktop firewall, browser plugin, etc).

The fact that the PUT request has a 200 return code suggests to me that it’s something on the client side, but I’m not at all sure about that.

I would suggest looking around both the client and server for security-related logs, and reviewing your desktop setup for any tools that might be causing this.

Regards,
Alec Smecher
Public Knowledge Project Team

evangelos · October 5, 2020, 8:20am

Hi @asmecher,

Thank you very much for the quick reply.

I will take a look at the security related logs as you suggested and I will report back as soon as I find anything that can cause the issue.

Again, thank you for your suggestions.

Best regards,
Evangelos Koufogiannis