Fatal frontend 500: scalar custom JSON-LD value crashes page render #97

New Issue

2026-06-29T14:19:04Z

jmiller commented

2026-06-29 14:19:04 +00:00

Problem (BLOCKING)

A scalar value saved into a record's custom_schema field white-screens the public frontend with a PHP 8 fatal error.

Root cause — two gaps

Save side — MokoOGContent::validateJson() (plg_content_mokoog/src/Extension/MokoOGContent.php:321-330) only rejects empty/invalid JSON:
```
if ($json === '' || json_decode($json) === null) { return ''; }
```
A scalar like 42, "x", or true decodes to a non-null scalar, so it passes validation and is stored.

Render side — MokoOG.php:359-363:

$decoded = json_decode($customSchema, true);
if (!empty($decoded)) {
    if (empty($decoded['@context'])) {
        $decoded['@context'] = 'https://schema.org'; // ← writes array offset onto a scalar
    }
}

Writing $decoded['@context'] when $decoded is an int/float/bool/null throws Error: Cannot use a scalar value as an array → unhandled 500 on every public page rendering that content.

Fix

validateJson(): require an object/array — reject unless is_array(json_decode($json, true)).
MokoOG.php: guard the render path with if (is_array($decoded)) before mutating.
Add a unit test feeding scalar/array/invalid payloads.

Severity

Release blocker — attacker/editor-supplied (or fat-fingered) input takes down the public site.

## Problem (BLOCKING) A scalar value saved into a record's `custom_schema` field white-screens the **public frontend** with a PHP 8 fatal error. ### Root cause — two gaps 1. **Save side** — `MokoOGContent::validateJson()` (`plg_content_mokoog/src/Extension/MokoOGContent.php:321-330`) only rejects empty/invalid JSON: ```php if ($json === '' || json_decode($json) === null) { return ''; } ``` A scalar like `42`, `"x"`, or `true` decodes to a non-null scalar, so it **passes validation and is stored**. 2. **Render side** — `MokoOG.php:359-363`: ```php $decoded = json_decode($customSchema, true); if (!empty($decoded)) { if (empty($decoded['@context'])) { $decoded['@context'] = 'https://schema.org'; // ← writes array offset onto a scalar } } ``` Writing `$decoded['@context']` when `$decoded` is an int/float/bool/null throws `Error: Cannot use a scalar value as an array` → unhandled 500 on every public page rendering that content. ## Fix - `validateJson()`: require an object/array — reject unless `is_array(json_decode($json, true))`. - `MokoOG.php`: guard the render path with `if (is_array($decoded))` before mutating. - Add a unit test feeding scalar/array/invalid payloads. ## Severity Release blocker — attacker/editor-supplied (or fat-fingered) input takes down the public site.

jmiller added the bug security production-readiness labels 2026-06-29 14:19:04 +00:00

jmiller commented

2026-06-29 14:19:06 +00:00

Branch created: feature/97-fatal-frontend-500-scalar-custom-json-ld

git fetch origin
git checkout feature/97-fatal-frontend-500-scalar-custom-json-ld

Branch created: [`feature/97-fatal-frontend-500-scalar-custom-json-ld`](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteOpenGraph/src/branch/feature/97-fatal-frontend-500-scalar-custom-json-ld) ```bash git fetch origin git checkout feature/97-fatal-frontend-500-scalar-custom-json-ld ```

jmiller referenced this issue from a commit

2026-06-29 14:35:53 +00:00

fix: resolve release blockers #97 (scalar JSON-LD 500) and #98 (no edit UI)

jmiller referenced a pull request that will close this issue

2026-06-29 14:36:19 +00:00

fix: resolve release blockers #97 (scalar JSON-LD 500) and #98 (no single-tag edit UI) #108

jmiller referenced this issue from a commit

2026-06-29 14:41:13 +00:00

Merge pull request 'fix: resolve release blockers #97 (scalar JSON-LD 500) and #98 (no single-tag edit UI)' (#108) from fix/release-blockers-97-98 into dev

jmiller closed this issue

2026-06-29 14:41:13 +00:00

jmiller referenced this issue from a commit