If using AJAX, we are sending identifying data about this view.

The 'view_path' is encoded with check_plain() (htmlspecialchars($text, ENT_QUOTES, 'UTF-8')), but when the the view is rendered the $_REQUEST['view_path'] is deocded with rawurldecode() which doesn't decode the special characters.

Example: let's say I have a view with path like this:

search/d'drupal (d'drupal is a contextual filter)

when sending to ajax(using pager with ajax) the view_path will be encoded like this: d'drupal
and when the new identifying data is built the path will be encoded again, but now the path is already encoded as d'drupal because rawurldecode will not decode this string. the new path will be d'drupal

So bottom line we should use the same method to decode what do we use for encode. if we use check_plain for encoding we should use

htmlspecialchars_decode($_REQUEST['view_path'], ENT_QUOTES) for decoding.

Patch provided



cslevy created an issue. See original summary.

DamienMcKenna’s picture

Does this still affect 3.16?

David_Rothstein’s picture

The existing rawurldecode() seems like it's probably wrong here, at least, since PHP already decodes $_REQUEST automatically using urldecode() (http://php.net/manual/en/function.urldecode.php).

I don't know enough about the rest of the patch to comment on whether htmlspecialchars_decode() is a correct replacement or not.