How to use GUI screen controls / (Colors / Graphics Mode)

louis2

Hello,

I try to port a package which uses ^Colors / Graphics Mode^ control sequences to display underlined lines and lines displayed in reverse mode.

For more info about that see https://gist.github.com/fnky/458719343aabd01cfb17a3a4f7296797

In the netgate script I use as base, there is a line
^<pre><?= htmlspecialchars(shell_exec('/usr/local/sbin/pimctl show')); ?></pre>^ which is intended to display the output of in this case the 'pimctl' command.

That does work, however the ^line format sequences^ are not executed but just displayed as characters, which as consequence that the formatting of the screen is not as intended.

Question is, how to solve this

jimp

There likely isn't going to be a way to do that. Those types of characters and line drawing require support of a compatible terminal, and there isn't any hope of that all working in a web browser in the same way. All you can do is get the text, not a full rendering of how it might look in a terminal.

louis2

@jimp

There seems to be three solutions left:
a) changing the source code of the package
b) doing nothing except that the output does not look great
c) building a php routine which trans code the not possible formatting to some kind of formatting which can be done

changing the php line to something like
^<pre><?= style_reformat(tmlspecialchars(shell_exec('/usr/local/sbin/pimctl show'))); ?></pre>^

Where the ^style_reformatter^ should transcode the
ESC[4m ESC[24m set underline mode
ESC[7m ESC[27m set inverse/reverse mode
ESC[0m reset all modes (styles and colors)
To something else which can be displayed

I am not a php programmer, but if I have to choose between these three options, I tend to try option "c".
Changing text colors, bold, intent, extra line things like that

Advantage of option c) above option a) is that you do not have to hack someones its code (which might by the way, be simpler)

louis2

I did work around the problem in the following way:

The ANSI controls available in the output where
ESC[4m ESC[24m set underline mode
ESC[7m ESC[27m set inverse/reverse mode
ESC[0m reset all modes (styles and colors)
More info in https://gist.github.com/fnky/458719343aabd01cfb17a3a4f7296797

With as complicating factor that every modified line was terminated by the generic ESC[0m, which forced me to use a generic html termination code as well.

I defined an string array like this
$dictionary = array(
'#[4m' => '<span style="font-weight:bold"><br>________________________________________________________________________________________________' ,
'#[24m' => '</span>' ,
'#[7m' => '<span style="color:blue">' ,
'#[27m' => '</span>' ,
'#[0m' => '</span>' ,
);
Where the '#' is an replacement for the original ESC-character
( I do not know how to insert an ESC-character in a static string array)

Then the following line did the job
<pre><?= str_replace(array_keys($dictionary), $dictionary, str_replace(chr(27),'#', shell_exec('/usr/local/sbin/pimctl show')));

Note that I had to remove the 'htmlspecialchars()' function, since it escapes the intended html style controls.

Of course this is not a perfect solution, but it is not too complicated, the page layout is OK and I do not have to change the code of the external package.

I try to contact the package author to point to the fact that the package report should have an option to be html compatible.

jimp

You'll need to find a way for it to still go through htmlspecialchars() -- we can't dump unencoded/unprotected raw output from the shell to users. It could lead to an XSS or other similar security issue.

louis2

@jimp

Jim the solution was quit simple I overlooked an option to get a report without ansi controls.

pimctl -p show did the job (with htmlspecialchars() protection)

louis2

@jimp

One other reaction to add. I do not know which security measures / precautions Netgate makes with packages, e.g. with which authorization level they are running, however adding whatever 'external' code to your system is always a risk and surely if the involved system is a firewall.

So, but if you allow that whatever package to be installed, than you trust that package and an installed package does IMHO technically have the capability to do all kind of unwanted things with your platform.

If one of those more or less trusted packages generates fixed html code, it sounds strange to me to see that html code from one of your own packages as ^dangerous^ where the fact that the package is installed is again in my feeling is far more dangerous.

So, I do not need the htmlspecialchars() protection replacement for this case, but I do scratch my head why it is dangerous