Index: includes/common.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/common.inc,v retrieving revision 1.922 diff -u -9 -p -r1.922 common.inc --- includes/common.inc 13 Jun 2009 19:28:57 -0000 1.922 +++ includes/common.inc 14 Jun 2009 10:42:17 -0000 @@ -227,32 +227,32 @@ function drupal_get_feeds($delimiter = " * @param $parent * Should not be passed, only used in recursive calls. * @return * An urlencoded string which can be appended to/as the URL query string. */ function drupal_query_string_encode($query, $exclude = array(), $parent = '') { $params = array(); foreach ($query as $key => $value) { - $key = drupal_urlencode($key); + $key = rawurlencode($key); if ($parent) { $key = $parent . '[' . $key . ']'; } if (in_array($key, $exclude)) { continue; } if (is_array($value)) { $params[] = drupal_query_string_encode($value, $exclude, $key); } else { - $params[] = $key . '=' . drupal_urlencode($value); + $params[] = $key . '=' . rawurlencode($value); } } return implode('&', $params); } /** * Prepare a destination query string for use in combination with drupal_goto(). * @@ -1951,20 +1951,20 @@ function format_date($timestamp, $type = * Generate a URL from a Drupal menu path. Will also pass-through existing URLs. * * @param $path * The Drupal path being linked to, such as "admin/content/node", or an * existing URL like "http://drupal.org/". The special path * '' may also be given and will generate the site's base URL. * @param $options * An associative array of additional options, with the following keys: * - 'query' - * A query string to append to the link, or an array of query key/value - * properties. + * A URL-encoded query string to append to the link, or an array of query + * key/value-pairs without any URL-encoding. * - 'fragment' * A fragment identifier (or named anchor) to append to the link. * Do not include the '#' character. * - 'absolute' (default FALSE) * Whether to force the output to be an absolute link (beginning with * http:). Useful for links that will be displayed outside the site, such * as in an RSS feed. * - 'alias' (default FALSE) * Whether the given path is an alias already. @@ -2056,19 +2056,19 @@ function url($path = NULL, array $option } if (function_exists('custom_url_rewrite_outbound')) { // Modules may alter outbound links by reference. custom_url_rewrite_outbound($path, $options, $original_path); } $base = $options['absolute'] ? $options['base_url'] . '/' : base_path(); $prefix = empty($path) ? rtrim($options['prefix'], '/') : $options['prefix']; - $path = drupal_urlencode($prefix . $path); + $path = drupal_encode_path($prefix . $path); if (variable_get('clean_url', '0')) { // With Clean URLs. if ($options['query']) { return $base . $path . '?' . $options['query'] . $options['fragment']; } else { return $base . $path . $options['fragment']; } @@ -3161,23 +3161,25 @@ function drupal_json($var = NULL) { * * Notes: * - For esthetic reasons, we do not escape slashes. This also avoids a 'feature' * in Apache where it 404s on any path containing '%2F'. * - mod_rewrite unescapes %-encoded ampersands, hashes, and slashes when clean * URLs are used, which are interpreted as delimiters by PHP. These * characters are double escaped so PHP will still see the encoded version. * - With clean URLs, Apache changes '//' to '/', so every second slash is * double escaped. + * - This function should only be used on paths, not on query string arguments, + * otherwise unwanted double encoding will occur. * * @param $text * String to encode */ -function drupal_urlencode($text) { +function drupal_encode_path($text) { if (variable_get('clean_url', '0')) { return str_replace(array('%2F', '%26', '%23', '//'), array('/', '%2526', '%2523', '/%252F'), rawurlencode($text)); } else { return str_replace('%2F', '/', rawurlencode($text)); } } Index: misc/autocomplete.js =================================================================== RCS file: /cvs/drupal/drupal/misc/autocomplete.js,v retrieving revision 1.29 diff -u -9 -p -r1.29 autocomplete.js --- misc/autocomplete.js 27 Apr 2009 20:19:35 -0000 1.29 +++ misc/autocomplete.js 14 Jun 2009 10:42:17 -0000 @@ -264,19 +264,19 @@ Drupal.ACDB.prototype.search = function if (this.timer) { clearTimeout(this.timer); } this.timer = setTimeout(function () { db.owner.setStatus('begin'); // Ajax GET request for autocompletion. $.ajax({ type: 'GET', - url: db.uri + '/' + Drupal.encodeURIComponent(searchString), + url: db.uri + '/' + Drupal.encodePath(searchString), dataType: 'json', success: function (matches) { if (typeof matches.status == 'undefined' || matches.status != 0) { db.cache[searchString] = matches; // Verify if these are still the matches the user wants to see. if (db.searchString == searchString) { db.owner.found(matches); } db.owner.setStatus('found'); Index: misc/drupal.js =================================================================== RCS file: /cvs/drupal/drupal/misc/drupal.js,v retrieving revision 1.55 diff -u -9 -p -r1.55 drupal.js --- misc/drupal.js 3 May 2009 07:35:37 -0000 1.55 +++ misc/drupal.js 14 Jun 2009 10:42:17 -0000 @@ -257,22 +257,23 @@ Drupal.freezeHeight = function () { /** * Unfreeze the body height. */ Drupal.unfreezeHeight = function () { $('#freeze-height').remove(); }; /** - * Wrapper to address the mod_rewrite url encoding bug - * (equivalent of drupal_urlencode() in PHP). + * Wrapper around encodeURIComponent() which avoids Apache quirks (equivalent of + * drupal_encode_path() in PHP). This function should only be used on paths, not + * on query string arguments. */ -Drupal.encodeURIComponent = function (item, uri) { +Drupal.encodePath = function (item, uri) { uri = uri || location.href; item = encodeURIComponent(item).replace(/%2F/g, '/'); return (uri.indexOf('?q=') != -1) ? item : item.replace(/%26/g, '%2526').replace(/%23/g, '%2523').replace(/\/\//g, '/%252F'); }; /** * Get the text selection in a textarea. */ Drupal.getSelection = function (element) { Index: modules/comment/comment.module =================================================================== RCS file: /cvs/drupal/drupal/modules/comment/comment.module,v retrieving revision 1.722 diff -u -9 -p -r1.722 comment.module --- modules/comment/comment.module 11 Jun 2009 15:17:15 -0000 1.722 +++ modules/comment/comment.module 14 Jun 2009 10:42:17 -0000 @@ -1999,22 +1999,22 @@ function theme_comment_post_forbidden($n // We only output any link if we are certain, that users get permission // to post comments by logging in. We also locally cache this information. $authenticated_post_comments = array_key_exists(DRUPAL_AUTHENTICATED_RID, user_roles(TRUE, 'post comments') + user_roles(TRUE, 'post comments without approval')); } if ($authenticated_post_comments) { // We cannot use drupal_get_destination() because these links // sometimes appear on /node and taxonomy listing pages. if (variable_get('comment_form_location_' . $node->type, COMMENT_FORM_SEPARATE_PAGE) == COMMENT_FORM_SEPARATE_PAGE) { - $destination = 'destination=' . drupal_urlencode("comment/reply/$node->nid#comment-form"); + $destination = 'destination=' . rawurlencode("comment/reply/$node->nid#comment-form"); } else { - $destination = 'destination=' . drupal_urlencode("node/$node->nid#comment-form"); + $destination = 'destination=' . rawurlencode("node/$node->nid#comment-form"); } if (variable_get('user_register', 1)) { // Users can register themselves. return t('Login or register to post comments', array('@login' => url('user/login', array('query' => $destination)), '@register' => url('user/register', array('query' => $destination)))); } else { // Only admins can add new users, no public registration. return t('Login to post comments', array('@login' => url('user/login', array('query' => $destination)))); Index: modules/search/search.test =================================================================== RCS file: /cvs/drupal/drupal/modules/search/search.test,v retrieving revision 1.23 diff -u -9 -p -r1.23 search.test --- modules/search/search.test 12 Jun 2009 08:39:38 -0000 1.23 +++ modules/search/search.test 14 Jun 2009 10:42:18 -0000 @@ -260,23 +260,23 @@ class SearchAdvancedSearchForm extends D */ function testNodeType() { $this->assertTrue($this->node->type == 'page', t('Node type is page.')); // Assert that the dummy title doesn't equal the real title. $dummy_title = 'Lorem ipsum'; $this->assertNotEqual($dummy_title, $this->node->title, t("Dummy title doens't equal node title")); // Search for the dummy title with a GET query. - $this->drupalGet('search/node/' . drupal_urlencode($dummy_title)); + $this->drupalGet('search/node/' . $dummy_title); $this->assertNoText($this->node->title, t('Page node is not found with dummy title.')); // Search for the title of the node with a GET query. - $this->drupalGet('search/node/' . drupal_urlencode($this->node->title)); + $this->drupalGet('search/node/' . $this->node->title); $this->assertText($this->node->title, t('Page node is found with GET query.')); // Search for the title of the node with a POST query. $edit = array('or' => $this->node->title); $this->drupalPost('search/node', $edit, t('Advanced search')); $this->assertText($this->node->title, t('Page node is found with POST query.')); // Advanced search type option. $this->drupalPost('search/node', array_merge($edit, array('type[page]' => 'page')), t('Advanced search')); Index: modules/simpletest/tests/common.test =================================================================== RCS file: /cvs/drupal/drupal/modules/simpletest/tests/common.test,v retrieving revision 1.46 diff -u -9 -p -r1.46 common.test --- modules/simpletest/tests/common.test 12 Jun 2009 08:39:39 -0000 1.46 +++ modules/simpletest/tests/common.test 14 Jun 2009 10:42:18 -0000 @@ -1,35 +1,45 @@ t('Tests for the l() function'), - 'description' => t('Confirm that url() works correctly with various input.'), + 'name' => t('URL generation'), + 'description' => t('Confirm that drupal_query_string_encode() and l() work correctly with various input.'), 'group' => t('System'), ); } /** - * Confirm that invalid text given as $path is filtered. + * Check that l() properly escapes $path. */ function testLXSS() { $text = $this->randomName(); $path = ""; $link = l($text, $path); $sanitized_path = check_url(url($path)); $this->assertTrue(strpos($link, $sanitized_path) != FALSE, t('XSS attack @path was filtered', array('@path' => $path))); } + + /** + * Test drupal_query_string_encode(). + */ + function testDrupalQueryStringEncode() { + $this->assertEqual(drupal_query_string_encode(array('a' => ' &#//+%20@۞')), 'a=%20%26%23%2F%2F%2B%2520%40%DB%9E', t('Value was properly encoded.')); + $this->assertEqual(drupal_query_string_encode(array(' &#//+%20@۞' => 'a')), '%20%26%23%2F%2F%2B%2520%40%DB%9E=a', t('Key was properly encoded.')); + $this->assertEqual(drupal_query_string_encode(array('a' => '1', 'b' => '2', 'c' => '3'), array('b')), 'a=1&c=3', t('Value was properly excluded.')); + $this->assertEqual(drupal_query_string_encode(array('a' => array('b' => '2', 'c' => '3')), array('b', 'a[c]')), 'a[b]=2', t('Nested array was properly encoded.')); + } } class CommonSizeTestCase extends DrupalUnitTestCase { protected $exact_test_cases; protected $rounded_test_cases; public static function getInfo() { return array( 'name' => t('Size parsing test'), Index: modules/system/system.js =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.js,v retrieving revision 1.26 diff -u -9 -p -r1.26 system.js --- modules/system/system.js 29 May 2009 19:51:43 -0000 1.26 +++ modules/system/system.js 14 Jun 2009 10:42:18 -0000 @@ -86,19 +86,19 @@ Drupal.behaviors.dateTime = { attach: function (context, settings) { // Show/hide custom format depending on the select's value. $('select.date-format:not(.date-time-processed)', context).change(function () { $(this).addClass('date-time-processed').parents('div.date-container').children('div.custom-container')[$(this).val() == 'custom' ? 'show' : 'hide'](); }); // Attach keyup handler to custom format inputs. $('input.custom-format:not(.date-time-processed)', context).addClass('date-time-processed').keyup(function () { var input = $(this); - var url = settings.dateTime.lookup +(settings.dateTime.lookup.match(/\?q=/) ? '&format=' : '?format=') + Drupal.encodeURIComponent(input.val()); + var url = settings.dateTime.lookup + (settings.dateTime.lookup.match(/\?q=/) ? '&format=' : '?format=') + encodeURIComponent(input.val()); $.getJSON(url, function (data) { $('div.description span', input.parent()).html(data); }); }); // Trigger the event handler to show the form input if necessary. $('select.date-format', context).trigger('change'); } }; Index: modules/update/update.fetch.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/update/update.fetch.inc,v retrieving revision 1.21 diff -u -9 -p -r1.21 update.fetch.inc --- modules/update/update.fetch.inc 6 Jun 2009 06:26:13 -0000 1.21 +++ modules/update/update.fetch.inc 14 Jun 2009 10:42:18 -0000 @@ -108,22 +108,22 @@ function _update_build_fetch_url($projec $name = $project['name']; $url = _update_get_fetch_url_base($project); $url .= '/' . $name . '/' . DRUPAL_CORE_COMPATIBILITY; // Only append a site_key and the version information if we have a site_key // in the first place, and if this is not a disabled module or theme. We do // not want to record usage statistics for disabled code. if (!empty($site_key) && (strpos($project['project_type'], 'disabled') === FALSE)) { $url .= (strpos($url, '?') === TRUE) ? '&' : '?'; $url .= 'site_key='; - $url .= drupal_urlencode($site_key); + $url .= rawurlencode($site_key); if (!empty($project['info']['version'])) { $url .= '&version='; - $url .= drupal_urlencode($project['info']['version']); + $url .= rawurlencode($project['info']['version']); } } return $url; } /** * Return the base of the URL to fetch available update data for a project. * * @param $project