Opened 6 years ago
Closed 6 years ago
#7962 closed defect (bug) (fixed)
GetLinkParams Not Unencoding URL Parameters or Escaping HTML Entities
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 3.2.0 | Priority: | normal |
Severity: | normal | Version: | 3.0.0 |
Component: | Templates | Keywords: | has-patch commit |
Cc: |
Description
I've been creating custom/extended profile fields, such as a drop down lists. If I make the field searchable and make list item values multiple words (with spaces) or use ampersands, double quotes, etc, clicking on the value when viewing the user profile will take you to the member list and populate the search field with the unescaped values causing the search to fail or not yield the expected results. (e.g. clicking on a value in the profile with a value of Alpha Omega would display Alpha+Omega in the search field on the member list page.
My fix was to escape everything in the GetLinkParams method on line 154, like this:
return n = n.split( '=' ), this[n[0]] = decodeURIComponent(n[1].replace(/\+/g, " ")).replace(/&/g, "&").replace(/</g, "<").replace(/"/g, "\"").replace(/>/g, ">"), this;
I couldn't find any place where this method is called and is expecting url-encoded data, So I changed it.
v3.1.0
Attachments (1)
Change History (6)
#1
@
6 years ago
- Component changed from Core to Templates
- Keywords has-patch reporter-feedback added
- Milestone changed from Awaiting Review to 3.2.0
- Owner set to imath
- Status changed from new to assigned
#2
@
6 years ago
Thanks @imath,
This patch works marvelously. I'm not sure if it's intentional or not, but the version I was on before would display the search criteria obtained from the query string in the search text box -- that's no longer happening. But the search is being performed and is working as expected.
[As a side note regarding escaping: When creating custom field options for a select box, if I use & as part of the value (I know, nobody should do that. I just wanted to see what would happen.) it renders as an & after being saved, and then when editing a profile I'm no longer able to save the user profile if I select that particular option.]
Hi @n0barcode
Thanks a lot for your report. We already worked on this issue in this ticket #7944. I guess it didn't fixed all specialchars issues :)
I'd rather we let the
GetLinkParams
function the way it is, as the issue only concerns search requests and this function can be used to get other parameters.That's why I think we should go with 7962.patch. Can you test it and confirm it's fixing the issue for you as well ?