Skip to:
Content

BuddyPress.org

Opened 2 years ago

Last modified 2 years ago

#7645 new defect (bug)

gravatar parameters esc_url() function breaks the html formatting.

Reported by: xavierserranoa Owned by:
Milestone: Awaiting Contributions Priority: normal
Severity: normal Version:
Component: Media Keywords: has-patch
Cc:

Description

when debugging a site that was displaying gravatars wrong I noticed this on buddypress/bp-core/bp-core-avatars.php line 660

<?php
error_log( print_r($url_args,true));

outputs:

[15-Dec-2017 19:02:33 UTC] Array
(
    [s] => 30
    [r] => g
    [d] => mm
)
<?php
error_log( print_r(rawurlencode_deep( array_filter($url_args)),true));

output:

[15-Dec-2017 19:02:33 UTC] Array
(
    [s] => 30
    [r] => g
    [d] => mm
)
<?php
error_log( print_r(add_query_arg(rawurlencode_deep( array_filter($url_args))),true));

output:

[15-Dec-2017 19:02:33 UTC] /groups/historic-structures/admin/manage-members/?s=30&r=g&d=mm
<?php
error_log( print_r(esc_url(add_query_arg(rawurlencode_deep( array_filter($url_args)))),true));

output:

[15-Dec-2017 19:02:33 UTC] /groups/historic-structures/admin/manage-members/?s=30&#038;r=g&#038;d=mm
<?php
error_log( print_r(esc_url_raw(add_query_arg(rawurlencode_deep( array_filter($url_args)))),true));

Output:

[15-Dec-2017 19:02:33 UTC] /groups/historic-structures/admin/manage-members/?s=30&r=g&d=mm

removing the :

esc_url()

or probably the best fix which is switching it to use :

esc_url_raw()

will fix the problem

Attachments (1)

patch.diff (549 bytes) - added by xavierserranoa 2 years ago.
patch with fix

Download all attachments as: .zip

Change History (9)

@xavierserranoa
2 years ago

patch with fix

#1 @xavierserranoa
2 years ago

  • Keywords has-patch added
  • Version set to 2.9.2

#2 follow-up: @DJPaul
2 years ago

  • Keywords reporter-feedback added

Hi @xavierserranoa

I agree that changing that function on that string given would change the output in the way you say, but where and how did you find this problem on an actual site, please? I'm looking at a site's group > manage > members page, and everything seems to be displaying correct.

Any more information on how to reproduce the problem locally would be very helpful.

#3 @DJPaul
2 years ago

  • Milestone changed from Awaiting Review to Under Consideration

#4 in reply to: ↑ 2 @xavierserranoa
2 years ago

Hey @DJPaul unfortunately this was found on a private site behind a firewall so I cant provide a link so you can see. I was having issues with gravatar links like this www.gravatar.com/avatar/4fc1b0bd2d0c9cb1d0ce10cec1c74c3b?s=30&r=g&d=mm

Replying to DJPaul:

Hi @xavierserranoa

I agree that changing that function on that string given would change the output in the way you say, but where and how did you find this problem on an actual site, please? I'm looking at a site's group > manage > members page, and everything seems to be displaying correct.

Any more information on how to reproduce the problem locally would be very helpful.

Last edited 2 years ago by xavierserranoa (previous) (diff)

#5 follow-up: @DJPaul
2 years ago

How exactly did they not work? Did the images not render in a web browser? Which web browser?

#6 in reply to: ↑ 5 @xavierserranoa
2 years ago

So yea what was happening is the url parameters where being output like this ?s=30&#038;r=g&#038;d=mm so the url looked
like gravatar.com/avatar/4fc1b0bd2d0c9cb1d0ce10cec1c74c3b?s=30&#038;r=g&#038;d=mm which caused the html to break because the src attribute would be wrong.

Replying to DJPaul:

How exactly did they not work? Did the images not render in a web browser? Which web browser?

#7 @xavierserranoa
2 years ago

  • Keywords reporter-feedback removed

#8 @DJPaul
2 years ago

  • Component changed from Core to Media
  • Milestone changed from Under Consideration to Future Release
  • Version 2.9.2 deleted

The problem I have with this is recreating the problem in a web browser, and figuring out all the places in core that then add esc_url() calls around -- that's going to be awkward to track down, and it's possible we might end up affecting third-party themes. If it was a common problem, we'd have seen it ourselves by now, or had it reported by many people over the years.

I think this is likely to remain open until such some time someone reports a way of performing it on a BuddyPress installation without any other third-party plugins (or code changes introduced by hooks/filters in the theme).

Note: See TracTickets for help on using tickets.