[buddypress-trac] [BuddyPress Trac] #7962: GetLinkParams Not Unencoding URL Parameters or Escaping HTML Entities

buddypress-trac noreply at wordpress.org
Wed Sep 5 23:34:31 UTC 2018


#7962: GetLinkParams Not Unencoding URL Parameters or Escaping HTML Entities
--------------------------+-----------------------------
 Reporter:  n0barcode     |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Core          |    Version:  3.0.0
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 I've been creating custom/extended profile fields, such as a drop down
 lists. If I make the field searchable and make list item values multiple
 words (with spaces) or use ampersands, double quotes, etc, clicking on the
 value when viewing the user profile will take you to the member list and
 populate the search field with the unescaped values causing the search to
 fail or not yield the expected results. (e.g. clicking on a value in the
 profile with a value of Alpha Omega would display Alpha+Omega in the
 search field on the member list page.

 My fix was to escape everything in the GetLinkParams method on line 154,
 like this:

 return n = n.split( '=' ), this[n[0]] =
 decodeURIComponent(n[1].replace(/\+/g, " ")).replace(/&/g,
 "&").replace(/</g, "<").replace(/"/g, "\"").replace(/>/g, ">"),
 this;

 I couldn't find any place where this method is called and is expecting
 url-encoded data, So I changed it.

 v3.1.0

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7962>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac


More information about the buddypress-trac mailing list