fix(files): don't expose WebDAV XML-attribute artifacts as DOM attributes#3225
Open
chrip wants to merge 1 commit into
Open
fix(files): don't expose WebDAV XML-attribute artifacts as DOM attributes#3225chrip wants to merge 1 commit into
chrip wants to merge 1 commit into
Conversation
…utes
genFileInfo() flattens every DAV property and runs camelcase() on each
key. Since Nextcloud 33, a file's nc:system-tags property contains
<nc:system-tag> elements that carry XML attributes (can-assign, id,
user-visible, ...). The WebDAV parser represents those attributes with a
leading "@", and camelcase() preserves it, so genFileInfo produced keys
such as "@canAssign". When the resulting object is bound via v-bind in
Viewer.vue, Vue calls setAttribute("@canAssign", ...), which throws
"InvalidCharacterError: Invalid qualified name" on Firefox and Safari
(Chrome silently ignores it). The result is that tagged office files
cannot be opened in those browsers.
Skip the structured system-tags subtree (it is not scalar file metadata)
and, as a defensive backstop, drop any camelCased key that still starts
with "@", so XML-attribute artifacts never reach the DOM.
Ref: nextcloud/richdocuments#5490
Assisted-by: ClaudeCode:Opus-4.8
Signed-off-by: Christoph Schaefer <christoph.schaefer@nextcloud.com>
chrip
force-pushed
the
fix/5490-systemtags-invalid-dom-attribute
branch
from
2cc5765 to
f7e98f3
Compare
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Tagged office files (and other tagged files) cannot be opened in the Viewer on Firefox and Safari since Nextcloud 33. Opening them throws:
Chrome is unaffected (it silently tolerates the invalid attribute name).
Originally reported against Nextcloud Office: nextcloud/richdocuments#5490 — but the crash is in the Viewer's
genFileInfo, triggered for any tagged file.Root cause
genFileInfo()(src/utils/fileUtils.ts) recursively flattens every DAV property and runscamelcase()on every key.Since Nextcloud 33, a file's
nc:system-tagsPROPFIND property contains<nc:system-tag>elements that carry XML attributes (can-assign,id,user-visible, …) — seeapps/dav/lib/SystemTag/SystemTagList.phpin server. The WebDAV/fast-xml-parserlayer represents those attributes with a leading@(e.g.@can-assign), andcamelcase('@can-assign')preserves the leading@, yielding@canAssign.genFileInfotherefore produces a key@canAssignon the file-info object.Viewer.vuebinds that object withv-bind="currentFile", so Vue callsel.setAttribute('@canAssign', …).@is illegal in a DOM/XML qualified name → Firefox & Safari throw, Chrome ignores it.The server XML is valid; the bug is purely in the client-side flattening.
Fix
In
genFileInfo:system-tagssubtree — it is not scalar file metadata and should not be flattened into the file-info object.@, so WebDAV XML-attribute artifacts can never reach the DOM.Testing
Validated with a faithful reproduction of
genFileInfo's logic + the realcamelcase@8package against a webdav-parsed PROPFIND of a tagged file:@canAssign,@id,@userVisible→setAttributethrowssystemTagarray as attrfileid,filename, …)To reproduce manually: tag any office file, open it in Firefox → console
InvalidCharacterErroronmaster, gone with this change.Notes
js/are not included (my local toolchain is Node 22 / npm 10, the repo requires Node ^24 / npm ^11). Please recompile via CI / the compile bot.Ref: nextcloud/richdocuments#5490
Assisted-by: ClaudeCode:Opus-4.8