0002091: Bugnotes containing urls with the '@' sign in them get mangled - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0002091	mantisbt	bugtracker	public	2002-06-04 08:04	2004-11-06 06:55

Reporter	hacker	Assigned To	bpfennig
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Platform	All
Product Version	0.17.3
Fixed in Version	0.19.1

Summary	0002091: Bugnotes containing urls with the '@' sign in them get mangled
Description	If you link to a URL that contains the '@' sign in it, either in the URI or in the query string, the bugnote will be transformed into a broken URL link. I managed to track this down to f_bugnote_add, and used str_replace() on the '@' turning it into n '%40' character, but this breaks for all text with the '@' symbol in it. Ideally, it should only replace the '@' with '%40' when it occurs inside a URI, not inside an email address or function call that uses the '@' symbol (such as an array definition in a perl structure)
Steps To Reproduce	Here's one example of a URL which will break: <a href="http://www.mail-archive.com/<a href="mailto:plucker-dev@rubberchicken.org/msg01805.html">http://www.mail-archive.com/plucker-dev@rubberchicken.org/msg01805.html</a" target="_new">plucker-dev@rubberchicken.org/msg01805.html">http://www.mail-archive.com/plucker-dev@rubberchicken.org/msg01805.html</a</a>> And here's the corrected version: <a href="http://www.mail-archive.com/plucker-dev%40rubberchicken.org/msg01805.html">http://www.mail-archive.com/plucker-dev%40rubberchicken.org/msg01805.html</a> Note that the '@' was replaced in the second version, but leaving it in the first will cause all kinds of weirdness.
Additional Information	Perhaps using urlencode() on $f_bugnote_text, and then urldecode() upon printing it, would keep it intact?
Tags	No tags attached.

jlatour 2002-08-15 10:24 reporter ~0003097	@ is not a valid character in the filename part of the URL, and should have been replaced with %40 anyway. We can't just replace @, because that would break URLs which use a <a href="http://user:<a href="mailto:password@server/">http://user:password@server/</a" target="_new">password@server/">http://user:password@server/</a</a>> syntax. Perhaps if we go through a lot of effort to parse the URL and finally replace only the right @'s (we can't just urlencode, since that would replace the :'s and /'s as well), it could be solved but I think in this case the user should just make sure (s)he provides valid URLs :) If you disagree, feel free to provide a fix.

jlatour 2002-08-15 10:25 reporter ~0003098	On the other hand, it appears that an URL with the @ at the right place isn't shown correctly either :)

hacker 2003-03-22 15:34 reporter ~0004027 Last edited: 2003-03-22 15:36	mail-archive.com (the original culpret) seems to have fixed it on their end, and the '@' is now properly encoded as %40 in the URI field of the browser. However, as you showed, the parsing of the '@' here is still not optimum. Incidentally, related to this, can we have a <code></code> tag pair which Mantis can recognize as "Convert the bracketed value to (I hope that just worked here) I know there was some discussion about moving to BBCode, but I'm not sure that's a good approach, unless "real" HTML is also supported in tandem. I'll beat on it a bit and see what I can come up with. edited on: 03-22-03 15:35 edited on: 03-22-03 15:36

jlatour 2003-03-22 15:47 reporter ~0004028	Is this still a problem in 0.18.0a4? I recall seeing something about this bug in the ChangeLog.

jfitzell 2003-03-22 20:12 reporter ~0004030	It should be ok... andre did a partial fix for it - I think there must have been another bug filed that he closed. His fix was incomplete so I rewrote the regexes and it should be working now.

hacker 2003-04-09 15:49 reporter ~0004148	It looks like it is functional now, except that the '@' sign alone is linked as a mailto in the bugreports/bugnotes if $g_html_make_links is set to "ON". It will occur here in this bugnote also, because I've used the '@' sign alone. I'm not sure if there's a way to figure out that it isn't an email address, unless you scan the string passed from blank space to blank space, and see if the word 'mailto' appears in it. If not, pass it through unmodified, and if so, make it a mailto. I'll ponder a better solution.

jfitzell 2003-04-09 17:46 reporter ~0004152	No, that's not a solution. The whole point is that you don't have to put in the mailto: I'll have a look at the regexes when I can. The problem is that the characters allowed in email addresses are actually pretty broad. But we should be able to insist on something on each side if we don't already. Let me see if it's an @ by itself too or only in quotes like you had it.

hacker 2003-04-09 17:57 reporter ~0004154 Last edited: 2003-04-09 17:58	Ok, so @ on its own is ok, apparently. I use quotes to make it stand out in the bug reports, so I'll see if it breaks in my system design. The initial report was because some sites that mirror mailing lists keep the @ sign in the URI they link to (mail-archive used to, and has since fixed it, there may be others). SNIP What about '@' in single-quotes. What about "@" in double-quotes? What about (@) in parenthesis? END Update: Noting the above, that it only affects it in single quotes, why does it break it when there is an href in double-quotes with an @ sign in the URI? I'll do some more testing locally to validate this. My bugreports tend to be very specific, and we do NOT want the HTML translated into clickable links, so every character must be passed through unmodified. edited on: 04-09-03 17:58

bevindarkgun 2003-04-20 13:31 reporter ~0004220	The URL problem looks to be related to 0002154 which causes hrefs to get mangled -certainly an @ containing URL works on my site with code changed as per bug note on 0002154 The '@' is displayed as a mailto because $t_atom in string_insert_hrefs() needs a \' in the [^...] part of the regexp - tried this on my system and '@' works fine for me now