View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0030204||mantisbt||filters||public||2022-05-13 05:07||2022-06-24 04:05|
|Target Version||2.25.5||Fixed in Version||2.25.5|
|Summary||0030204: Create Permalink - special characters handling|
If category name contains "&" character and this name is used in filter, mantis generates buggy link to the filter.
The f0[space][ampersand][space]f1 was parsed like f0[space], and name after ampersand(f1) is treated like next parameter, not like a part of the name (that's why there's "=" added after it).
"f0%20&f1=" vs "f0%20%26%20f1"
(or & intead %26)
|Steps To Reproduce|
Create category with "&" character in the name.
Function filter_encode_field_and_value (filter_api.php) calls php urlencode() for each field values. Maybe the value(s) should be processed with htmlspecialcharacters() or similar function first ?
|Tags||No tags attached.|
I can reproduce this.
I believe filter_encode_field_and_value()'s behavior is correct - given my test category "a&b", it is passed on to permalink_page.php as
The problem is with string_sanitize_url(), which for security reasons is decomposing the URL parameter to ensure it does not contain any malicious component; doing so, it urldecodes it so the
At this point I'm not really sure what's the best way to fix this. I need to think about it, there is a security trade-off here.
@tslanina I think I found a solution. Please test the code in the following pull request:
@tslanina any feedback ?
I'm out of office for a couple of days .. - will test it tomorrow and give a feedback.
Tomorrow has come and gone ;-)
So I assume you're OK with the proposed change, will merge shortly.
MantisBT: master-2.25 c54a3794
|Use filter key instead of URL to build permalink
Refactor permalink_page.php to accept a temporary filter key and
generate the URL from that, instead of receiving a fully-formed URL.
This prevents issues when the filter criteria contain a `&` (e.g. a
category named "a & b"), causing the value to be interpreted as 2
distinct parameters due to string_sanitize_url() decoding the `%26`
before processing the query string.
|mod - core/filter_api.php||Diff File|
|mod - permalink_page.php||Diff File|