Skip to:
Content

BuddyPress.org

Opened 6 years ago

Closed 6 years ago

#7962 closed defect (bug) (fixed)

GetLinkParams Not Unencoding URL Parameters or Escaping HTML Entities

Reported by: n0barcode's profile n0barcode Owned by: imath's profile imath
Milestone: 3.2.0 Priority: normal
Severity: normal Version: 3.0.0
Component: Templates Keywords: has-patch commit
Cc:

Description

I've been creating custom/extended profile fields, such as a drop down lists. If I make the field searchable and make list item values multiple words (with spaces) or use ampersands, double quotes, etc, clicking on the value when viewing the user profile will take you to the member list and populate the search field with the unescaped values causing the search to fail or not yield the expected results. (e.g. clicking on a value in the profile with a value of Alpha Omega would display Alpha+Omega in the search field on the member list page.

My fix was to escape everything in the GetLinkParams method on line 154, like this:

return n = n.split( '=' ), this[n[0]] = decodeURIComponent(n[1].replace(/\+/g, " ")).replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&quot;/g, "\"").replace(/&gt;/g, ">"), this;

I couldn't find any place where this method is called and is expecting url-encoded data, So I changed it.

v3.1.0

Attachments (1)

7962.patch (1.6 KB) - added by imath 6 years ago.

Download all attachments as: .zip

Change History (6)

#1 @imath
6 years ago

  • Component changed from Core to Templates
  • Keywords has-patch reporter-feedback added
  • Milestone changed from Awaiting Review to 3.2.0
  • Owner set to imath
  • Status changed from new to assigned

Hi @n0barcode

Thanks a lot for your report. We already worked on this issue in this ticket #7944. I guess it didn't fixed all specialchars issues :)

I'd rather we let the GetLinkParams function the way it is, as the issue only concerns search requests and this function can be used to get other parameters.

That's why I think we should go with 7962.patch. Can you test it and confirm it's fixing the issue for you as well ?

@imath
6 years ago

#2 @n0barcode
6 years ago

Thanks @imath,

This patch works marvelously. I'm not sure if it's intentional or not, but the version I was on before would display the search criteria obtained from the query string in the search text box -- that's no longer happening. But the search is being performed and is working as expected.

[As a side note regarding escaping: When creating custom field options for a select box, if I use &amp; as part of the value (I know, nobody should do that. I just wanted to see what would happen.) it renders as an & after being saved, and then when editing a profile I'm no longer able to save the user profile if I select that particular option.]

#3 @imath
6 years ago

  • Keywords commit added; reporter-feedback removed

Thanks for your confirmation @n0barcode I'm going to commit the patch.

About your side note, it probably needs another ticket so that we can investigate further.

#4 @imath
6 years ago

In 12218:

BP Nouveau: Improve special characters management in Members search

[12200] only partly fixed AJAX search requests into the Members directory :

  • The search input needs to output URL decoded characters.
  • Special characters such as ">" or "<", when directly typed into the search input, need to be URL encoded.

Props n0barcode

See #7962 (branch 3.0)

#5 @imath
6 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 12219:

BP Nouveau: Improve special characters management in Members search

[12201] only partly fixed AJAX search requests into the Members directory :

  • The search input needs to output URL decoded characters.
  • Special characters such as ">" or "<", when directly typed into the search input, need to be URL encoded.

Props n0barcode

Fixes #7962 (trunk)

Note: See TracTickets for help on using tickets.