View Issue Details

IDProjectCategoryView StatusLast Update
0021804mantisbthtmlpublic2016-11-12 11:27
Reporterj_schultzAssigned Todregad 
Status closedResolutionfixed 
Product Version1.3.2 
Target Version1.3.3Fixed in Version1.3.3 
Summary0021804: Ampersands in Gravatar urls are not escaped properly

The rating and size parameters in Gravatar URLs are not escaped properly.
An example from the front page of this MantisBT instance:

<img class="avatar" src=""; alt="cproensa" width="32" height="32" />

The ampersands in the link should be escaped, i.e. "&r=G&s=32"

TagsNo tags attached.


related to 0021844 closeddregad Ampersands in Gravatar urls are double-escaped on bug pages 




2016-10-17 08:48

reporter   ~0054247

It seems like Mantis automatically converts HTML entities (ouch!), so the last sentence in my description does not make a lot of sense. But I'm sure you know what I mean. :)



2016-10-17 11:20

developer   ~0054250



2016-10-17 11:30

developer   ~0054251

It seems like Mantis automatically converts HTML entities (ouch!)

The "conversion" is done by the browser, we actually store the '& amp;' entity, and display it as such (look at the page source).

That said, I agree this could be confusing.

Related Changesets

MantisBT: master-1.3.x fa2e7171

2016-10-17 11:15:49


Details Diff
Gravatar plugin: escape ampersands in URLs

Fixes 0021804
mod - plugins/Gravatar/Gravatar.php Diff File

MantisBT: master-1.3.x aa2a3c0f

2016-11-09 12:06:39


Details Diff
Proper fix for gravatar URL '&' encoding

This partially reverts the change introduced in issue 0021804 (see commit
fa2e7171e5e5b85465e449b67e5ced6672b9f3f9), letting the caller escape the
URL as needed.

Fixes 0021844
mod - core/classes/TimelineEvent.class.php Diff File
mod - plugins/Gravatar/Gravatar.php Diff File

Issue History

Date Modified Username Field Change
2016-10-17 08:46 j_schultz New Issue
2016-10-17 08:48 j_schultz Note Added: 0054247
2016-10-17 11:18 dregad Assigned To => dregad
2016-10-17 11:18 dregad Status new => assigned
2016-10-17 11:20 dregad Target Version => 1.3.3
2016-10-17 11:20 dregad Description Updated View Revisions
2016-10-17 11:20 dregad Note Added: 0054250
2016-10-17 11:30 dregad Note Added: 0054251
2016-10-20 05:28 dregad Changeset attached => MantisBT master-1.3.x fa2e7171
2016-10-20 05:28 dregad Status assigned => resolved
2016-10-20 05:28 dregad Resolution open => fixed
2016-10-20 05:28 dregad Fixed in Version => 1.3.3
2016-10-30 23:22 vboctor Status resolved => closed
2016-11-02 21:59 vboctor Relationship added related to 0021844
2016-11-12 11:27 dregad Changeset attached => MantisBT master-1.3.x aa2a3c0f