Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-44634

Regression: link to user profile in comments block fails due to double URI encoding

    Details

      Description

      There was a bug fix in MDL-28952 that was reintroduced by MDL-38431.

      The comments block was outputting a double encoded URI for user's profile, which meant that the query parameters where ignored by profile.php, denying access to the resource.

      The change in MDL-38431 seems as if it is intended to encode the URL safely by calling moodle_url->out(true). The problem occurs that later in the execution, html_writer::link() is called, which appears to encode the query parameters a second time.

      The method where the second encoding occurs seems to be in outputcomponenets.php:

          public static function attribute($name, $value) {
              if ($value instanceof moodle_url) {
                  return ' ' . $name . '="' . $value->out() . '"';
              }
       
              // special case, we do not want these in output
              if ($value === null) {
                  return '';
              }
       
              // no sloppy trimming here!
              return ' ' . $name . '="' . s($value) . '"';
          }
      

      If there is a string, the function s() is called, which calls htmlspecialchars(), which will encode the ampersand into &

      function s($var) {
       
          if ($var === false) {
              return '0';
          }
       
          // When we move to PHP 5.4 as a minimum version, change ENT_QUOTES on the
          // next line to ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE, and remove the
          // 'UTF-8' argument. Both bring a speed-increase.
          return preg_replace('/&#(\d+|x[0-9a-f]+);/i', '&#$1;', htmlspecialchars($var, ENT_QUOTES, 'UTF-8'));
      }
      

      Passing in an object will cause html_writer::attribute() to call moodle_url->out(), which is how I fix this issue in my patch.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    14/Jul/14