View Issue Details

IDProjectCategoryView StatusLast Update
0021804mantisbthtmlpublic2016-11-12 11:27
Reporterj_schultzAssigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.2 
Target Version1.3.3Fixed in Version1.3.3 
Summary0021804: Ampersands in Gravatar urls are not escaped properly
Description

The rating and size parameters in Gravatar URLs are not escaped properly.
An example from the front page of this MantisBT instance:

<img class="avatar" src="https://secure.gravatar.com/avatar/e78c92aeae3add82782137cab2273872?d=identicon&r=G&s=32"; alt="cproensa" width="32" height="32" />

The ampersands in the link should be escaped, i.e. "&r=G&s=32"

TagsNo tags attached.

Relationships

related to 0021844 closeddregad Ampersands in Gravatar urls are double-escaped on bug pages 

Activities

j_schultz

j_schultz

2016-10-17 08:48

reporter   ~0054247

It seems like Mantis automatically converts HTML entities (ouch!), so the last sentence in my description does not make a lot of sense. But I'm sure you know what I mean. :)

dregad

dregad

2016-10-17 11:20

developer   ~0054250

https://github.com/mantisbt/mantisbt/pull/920

dregad

dregad

2016-10-17 11:30

developer   ~0054251

It seems like Mantis automatically converts HTML entities (ouch!)

The "conversion" is done by the browser, we actually store the '& amp;' entity, and display it as such (look at the page source).

That said, I agree this could be confusing.

Related Changesets

MantisBT: master-1.3.x fa2e7171

2016-10-17 11:15:49

dregad

Details Diff
Gravatar plugin: escape ampersands in URLs

Fixes 0021804
mod - plugins/Gravatar/Gravatar.php Diff File

MantisBT: master-1.3.x aa2a3c0f

2016-11-09 12:06:39

dregad

Details Diff
Proper fix for gravatar URL '&' encoding

This partially reverts the change introduced in issue 0021804 (see commit
fa2e7171e5e5b85465e449b67e5ced6672b9f3f9), letting the caller escape the
URL as needed.

Fixes 0021844
mod - core/classes/TimelineEvent.class.php Diff File
mod - plugins/Gravatar/Gravatar.php Diff File

Issue History

Date Modified Username Field Change
2016-10-17 08:46 j_schultz New Issue
2016-10-17 08:48 j_schultz Note Added: 0054247
2016-10-17 11:18 dregad Assigned To => dregad
2016-10-17 11:18 dregad Status new => assigned
2016-10-17 11:20 dregad Target Version => 1.3.3
2016-10-17 11:20 dregad Description Updated View Revisions
2016-10-17 11:20 dregad Note Added: 0054250
2016-10-17 11:30 dregad Note Added: 0054251
2016-10-20 05:28 dregad Changeset attached => MantisBT master-1.3.x fa2e7171
2016-10-20 05:28 dregad Status assigned => resolved
2016-10-20 05:28 dregad Resolution open => fixed
2016-10-20 05:28 dregad Fixed in Version => 1.3.3
2016-10-30 23:22 vboctor Status resolved => closed
2016-11-02 21:59 vboctor Relationship added related to 0021844
2016-11-12 11:27 dregad Changeset attached => MantisBT master-1.3.x aa2a3c0f