-
Bug
-
Resolution: Fixed
-
Major
-
2.3.11, 2.4.9, 2.5.5, 2.6.2, 2.7
-
Any
-
MOODLE_23_STABLE, MOODLE_24_STABLE, MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE
-
MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE
-
MDL-44634-master -
-
There was a bug fix in MDL-28952 that was reintroduced by MDL-38431.
The comments block was outputting a double encoded URI for user's profile, which meant that the query parameters where ignored by profile.php, denying access to the resource.
The change in MDL-38431 seems as if it is intended to encode the URL safely by calling moodle_url->out(true). The problem occurs that later in the execution, html_writer::link() is called, which appears to encode the query parameters a second time.
The method where the second encoding occurs seems to be in outputcomponenets.php:
public static function attribute($name, $value) {
|
if ($value instanceof moodle_url) {
|
return ' ' . $name . '="' . $value->out() . '"';
|
}
|
|
// special case, we do not want these in output
|
if ($value === null) {
|
return '';
|
}
|
|
// no sloppy trimming here!
|
return ' ' . $name . '="' . s($value) . '"';
|
}
|
If there is a string, the function s() is called, which calls htmlspecialchars(), which will encode the ampersand into &
function s($var) {
|
|
if ($var === false) {
|
return '0';
|
}
|
|
// When we move to PHP 5.4 as a minimum version, change ENT_QUOTES on the
|
// next line to ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE, and remove the
|
// 'UTF-8' argument. Both bring a speed-increase.
|
return preg_replace('/&#(\d+|x[0-9a-f]+);/i', '&#$1;', htmlspecialchars($var, ENT_QUOTES, 'UTF-8'));
|
}
|
Passing in an object will cause html_writer::attribute() to call moodle_url->out(), which is how I fix this issue in my patch.