Opened 7 years ago
Last modified 7 years ago
#7645 new defect (bug)
gravatar parameters esc_url() function breaks the html formatting.
Reported by: | xavierserranoa | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Contributions | Priority: | normal |
Severity: | normal | Version: | |
Component: | Media | Keywords: | has-patch |
Cc: |
Description
when debugging a site that was displaying gravatars wrong I noticed this on buddypress/bp-core/bp-core-avatars.php line 660
<?php error_log( print_r($url_args,true));
outputs:
[15-Dec-2017 19:02:33 UTC] Array ( [s] => 30 [r] => g [d] => mm )
<?php error_log( print_r(rawurlencode_deep( array_filter($url_args)),true));
output:
[15-Dec-2017 19:02:33 UTC] Array ( [s] => 30 [r] => g [d] => mm )
<?php error_log( print_r(add_query_arg(rawurlencode_deep( array_filter($url_args))),true));
output:
[15-Dec-2017 19:02:33 UTC] /groups/historic-structures/admin/manage-members/?s=30&r=g&d=mm
<?php error_log( print_r(esc_url(add_query_arg(rawurlencode_deep( array_filter($url_args)))),true));
output:
[15-Dec-2017 19:02:33 UTC] /groups/historic-structures/admin/manage-members/?s=30&r=g&d=mm
<?php error_log( print_r(esc_url_raw(add_query_arg(rawurlencode_deep( array_filter($url_args)))),true));
Output:
[15-Dec-2017 19:02:33 UTC] /groups/historic-structures/admin/manage-members/?s=30&r=g&d=mm
removing the :
esc_url()
or probably the best fix which is switching it to use :
esc_url_raw()
will fix the problem
Attachments (1)
Change History (9)
#2
follow-up:
↓ 4
@
7 years ago
- Keywords reporter-feedback added
Hi @xavierserranoa
I agree that changing that function on that string given would change the output in the way you say, but where and how did you find this problem on an actual site, please? I'm looking at a site's group > manage > members page, and everything seems to be displaying correct.
Any more information on how to reproduce the problem locally would be very helpful.
#4
in reply to:
↑ 2
@
7 years ago
Hey @DJPaul unfortunately this was found on a private site behind a firewall so I cant provide a link so you can see. I was having issues with gravatar links like this www.gravatar.com/avatar/4fc1b0bd2d0c9cb1d0ce10cec1c74c3b?s=30&r=g&d=mm
Replying to DJPaul:
Hi @xavierserranoa
I agree that changing that function on that string given would change the output in the way you say, but where and how did you find this problem on an actual site, please? I'm looking at a site's group > manage > members page, and everything seems to be displaying correct.
Any more information on how to reproduce the problem locally would be very helpful.
#5
follow-up:
↓ 6
@
7 years ago
How exactly did they not work? Did the images not render in a web browser? Which web browser?
#6
in reply to:
↑ 5
@
7 years ago
So yea what was happening is the url parameters where being output like this ?s=30&r=g&d=mm so the url looked
like gravatar.com/avatar/4fc1b0bd2d0c9cb1d0ce10cec1c74c3b?s=30&r=g&d=mm which caused the html to break because the src attribute would be wrong.
Replying to DJPaul:
How exactly did they not work? Did the images not render in a web browser? Which web browser?
#8
@
7 years ago
- Component changed from Core to Media
- Milestone changed from Under Consideration to Future Release
- Version 2.9.2 deleted
The problem I have with this is recreating the problem in a web browser, and figuring out all the places in core that then add esc_url()
calls around -- that's going to be awkward to track down, and it's possible we might end up affecting third-party themes. If it was a common problem, we'd have seen it ourselves by now, or had it reported by many people over the years.
I think this is likely to remain open until such some time someone reports a way of performing it on a BuddyPress installation without any other third-party plugins (or code changes introduced by hooks/filters in the theme).
patch with fix