[buddypress-trac] [BuddyPress Trac] #7962: GetLinkParams Not Unencoding URL Parameters or Escaping HTML Entities
buddypress-trac
noreply at wordpress.org
Wed Sep 5 23:34:31 UTC 2018
#7962: GetLinkParams Not Unencoding URL Parameters or Escaping HTML Entities
--------------------------+-----------------------------
Reporter: n0barcode | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Core | Version: 3.0.0
Severity: normal | Keywords:
--------------------------+-----------------------------
I've been creating custom/extended profile fields, such as a drop down
lists. If I make the field searchable and make list item values multiple
words (with spaces) or use ampersands, double quotes, etc, clicking on the
value when viewing the user profile will take you to the member list and
populate the search field with the unescaped values causing the search to
fail or not yield the expected results. (e.g. clicking on a value in the
profile with a value of Alpha Omega would display Alpha+Omega in the
search field on the member list page.
My fix was to escape everything in the GetLinkParams method on line 154,
like this:
return n = n.split( '=' ), this[n[0]] =
decodeURIComponent(n[1].replace(/\+/g, " ")).replace(/&/g,
"&").replace(/</g, "<").replace(/"/g, "\"").replace(/>/g, ">"),
this;
I couldn't find any place where this method is called and is expecting
url-encoded data, So I changed it.
v3.1.0
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7962>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list