In any autocomplete field, if the user enters "../" in the textarea, the GET query to the backend includes this literal text, meaning that you can escape your autocomplete_path and get onto other pages. Of course, when you hit a regular HTML page, the JS can't parse it. Naively, it seems that these characters should be escaped, or POST should be used to a fixed URL.

This is an issue in at least D7 and D6. See attached screenshot.

CommentFileSizeAuthor
Autocomplete JS Error.jpg35.83 KBlyricnz

Comments

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Issue tags: +autocomplete

Adding tag.

lyricnz’s picture

lyricnz commented

Bug still present in D7 head (eg: try typing any '/' into an autocomplete field, or ".." at the start).

Two related bugs:

- any use of '/' in autocomplete text results in a HTTP 404 from the server
- starting autocomplete text with ".." causes the autocomplete to go off the top of the autocomplete_path

grendzy’s picture

grendzy commented
Status: Active » Closed (duplicate)

Duplicate of #93854: Allow autocompletion requests to include slashes