Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.If using AJAX, we are sending identifying data about this view.
The 'view_path' is encoded with check_plain() (htmlspecialchars($text, ENT_QUOTES, 'UTF-8')), but when the the view is rendered the $_REQUEST['view_path'] is deocded with rawurldecode() which doesn't decode the special characters.
Example: let's say I have a view with path like this:
search/d'drupal (d'drupal is a contextual filter)
when sending to ajax(using pager with ajax) the view_path will be encoded like this: d'drupal
and when the new identifying data is built the path will be encoded again, but now the path is already encoded as d'drupal because rawurldecode will not decode this string. the new path will be d'drupal
So bottom line we should use the same method to decode what do we use for encode. if we use check_plain for encoding we should use
htmlspecialchars_decode($_REQUEST['view_path'], ENT_QUOTES) for decoding.
Patch provided
| Comment | File | Size | Author |
|---|---|---|---|
| change_view_path_decoding_method.patch | 811 bytes | cslevy | |
| |||
Comments
Comment #2
DamienMcKennaDoes this still affect 3.16?
Comment #3
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedThe existing rawurldecode() seems like it's probably wrong here, at least, since PHP already decodes $_REQUEST automatically using urldecode() (http://php.net/manual/en/function.urldecode.php).
I don't know enough about the rest of the patch to comment on whether htmlspecialchars_decode() is a correct replacement or not.