If using AJAX, we are sending identifying data about this view.
The 'view_path' is encoded with check_plain() (htmlspecialchars($text, ENT_QUOTES, 'UTF-8')), but when the the view is rendered the $_REQUEST['view_path'] is deocded with rawurldecode() which doesn't decode the special characters.
Example: let's say I have a view with path like this:
search/d'drupal (d'drupal is a contextual filter)
when sending to ajax(using pager with ajax) the view_path will be encoded like this: d'drupal
and when the new identifying data is built the path will be encoded again, but now the path is already encoded as d'drupal because rawurldecode will not decode this string. the new path will be d'drupal
So bottom line we should use the same method to decode what do we use for encode. if we use check_plain for encoding we should use
htmlspecialchars_decode($_REQUEST['view_path'], ENT_QUOTES) for decoding.
Patch provided
Comment | File | Size | Author |
---|---|---|---|
change_view_path_decoding_method.patch | 811 bytes | cslevy | |
|
Comments
Comment #2
DamienMcKennaDoes this still affect 3.16?
Comment #3
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedThe existing rawurldecode() seems like it's probably wrong here, at least, since PHP already decodes $_REQUEST automatically using urldecode() (http://php.net/manual/en/function.urldecode.php).
I don't know enough about the rest of the patch to comment on whether htmlspecialchars_decode() is a correct replacement or not.