View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0030204 | mantisbt | filters | public | 2022-05-13 05:07 | 2022-06-24 04:05 |
Reporter | tslanina | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.25.4 | ||||
Target Version | 2.25.5 | Fixed in Version | 2.25.5 | ||
Summary | 0030204: Create Permalink - special characters handling | ||||
Description | If category name contains "&" character and this name is used in filter, mantis generates buggy link to the filter. The f0[space][ampersand][space]f1 was parsed like f0[space], and name after ampersand(f1) is treated like next parameter, not like a part of the name (that's why there's "=" added after it). website.com/search.php?project_id=99&category_id=f0%20%26%20f1&sticky=on&sort=last_updated&dir=DESC&hide_status=80&match_type=0 "f0%20&f1=" vs "f0%20%26%20f1" (or & intead %26) | ||||
Steps To Reproduce | Create category with "&" character in the name. | ||||
Additional Information | Function filter_encode_field_and_value (filter_api.php) calls php urlencode() for each field values. Maybe the value(s) should be processed with htmlspecialcharacters() or similar function first ? | ||||
Tags | No tags attached. | ||||
I can reproduce this.
I believe filter_encode_field_and_value()'s behavior is correct - given my test category "a&b", it is passed on to permalink_page.php as The problem is with string_sanitize_url(), which for security reasons is decomposing the URL parameter to ensure it does not contain any malicious component; doing so, it urldecodes it so the At this point I'm not really sure what's the best way to fix this. I need to think about it, there is a security trade-off here. |
|
@tslanina I think I found a solution. Please test the code in the following pull request: |
|
@tslanina any feedback ? |
|
I'm out of office for a couple of days .. - will test it tomorrow and give a feedback. |
|
Tomorrow has come and gone ;-) So I assume you're OK with the proposed change, will merge shortly. |
|
MantisBT: master-2.25 c54a3794 2022-05-13 09:24 Details Diff |
Use filter key instead of URL to build permalink Refactor permalink_page.php to accept a temporary filter key and generate the URL from that, instead of receiving a fully-formed URL. This prevents issues when the filter criteria contain a `&` (e.g. a category named "a & b"), causing the value to be interpreted as 2 distinct parameters due to string_sanitize_url() decoding the `%26` before processing the query string. Fixes 0030204 |
Affected Issues 0030204 |
|
mod - core/filter_api.php | Diff File | ||
mod - permalink_page.php | Diff File |