View Issue Details

IDProjectCategoryView StatusLast Update
0021804mantisbthtmlpublic2016-11-12 11:27
Reporterj_schultz Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.2 
Target Version1.3.3Fixed in Version1.3.3 
Summary0021804: Ampersands in Gravatar urls are not escaped properly
Description

The rating and size parameters in Gravatar URLs are not escaped properly.
An example from the front page of this MantisBT instance:

<img class="avatar" src="https://secure.gravatar.com/avatar/e78c92aeae3add82782137cab2273872?d=identicon&amp;r=G&amp;s=32&quot; alt="cproensa" width="32" height="32" />

The ampersands in the link should be escaped, i.e. "&r=G&s=32"

TagsNo tags attached.

Relationships

related to 0021844 closeddregad Ampersands in Gravatar urls are double-escaped on bug pages 

Activities

j_schultz

j_schultz

2016-10-17 08:48

reporter   ~0054247

It seems like Mantis automatically converts HTML entities (ouch!), so the last sentence in my description does not make a lot of sense. But I'm sure you know what I mean. :)

dregad

dregad

2016-10-17 11:20

developer   ~0054250

https://github.com/mantisbt/mantisbt/pull/920

dregad

dregad

2016-10-17 11:30

developer   ~0054251

It seems like Mantis automatically converts HTML entities (ouch!)

The "conversion" is done by the browser, we actually store the '& amp;' entity, and display it as such (look at the page source).

That said, I agree this could be confusing.

Related Changesets

MantisBT: master-1.3.x fa2e7171

2016-10-17 07:15

dregad


Details Diff
Gravatar plugin: escape ampersands in URLs

Fixes 0021804
Affected Issues
0021804
mod - plugins/Gravatar/Gravatar.php Diff File

MantisBT: master-1.3.x aa2a3c0f

2016-11-09 07:06

dregad


Details Diff
Proper fix for gravatar URL '&' encoding

This partially reverts the change introduced in issue 0021804 (see commit
fa2e7171e5e5b85465e449b67e5ced6672b9f3f9), letting the caller escape the
URL as needed.

Fixes 0021844
Affected Issues
0021804, 0021844
mod - core/classes/TimelineEvent.class.php Diff File
mod - plugins/Gravatar/Gravatar.php Diff File