I noticed this when attempting to view revisions of Drupal nodes after upgrading to 4.6.4

The & is now replaced with & so that the query string cannot be read.

I went crazy trying to figure out why, and the culprit apears to be the new version of the check_url function.

Any query string added to an URL by a module calling the l() function will now have the ampersand replaced by the html entity. I don't know about on your browsers (grin) but on mine, that doesn't work. The query string gets ignored.

The place that this is impacting me personally is that I can no longer look at revisions on a node without manually typing in the URL, in Drupal 4.6.4

Coyote

Comments

Coyote’s picture

Coyote commented

Sorry, the line : "The & is now replaced with & so that the query string cannot be read" should be:

The & is now replaced with & so that the query string cannot be read.

markus_petrux’s picture

markus_petrux commented

Hi!

I have also found this problem with 4.6.4. It is because htmlspecialchars is executed twice so a single ampersand (as added by the function url()) gets transformed into & by check_url(), and transformed into & at the end of the new function filter_xss_bad_protocol() (added to filter.module).

See for yourself:

function check_url($uri) {
  $uri = htmlspecialchars($uri, ENT_QUOTES);
  $uri = filter_xss_bad_protocol($uri, FALSE);

  return $uri;
}
function filter_xss_bad_protocol($string, $decode = TRUE) {
  // Get the plain text representation of the attribute value (i.e. its meaning)
  if ($decode) {
    $string = decode_entities($string);
  }
  // Remove soft hyphen
  $string = str_replace(chr(194) . chr(173), '', $string);
  $string2 = '';
  // Strip protocols
  do {
    $before = $string;
    $string = preg_replace_callback('/^([^:]+):/', '_filter_xss_bad_protocol', $string);
  } while ($before != $string);
  return check_plain($string);
}

Note filter_xss_bad_protocol calls check_plain, which looks like this (in bootstrap.inc):

function check_plain($text) {
  return htmlspecialchars($text, ENT_QUOTES);
}

I believe it's probably wise now to simplify the function check_url() like this:

function check_url($uri) {
  $uri = filter_xss_bad_protocol($uri, FALSE);

  return $uri;
}

But that prolly depends on where the drupal devs wanted to go with the new changes.

markus_petrux’s picture

markus_petrux commented

Just seen this reported and fixed here:
http://drupal.org/node/39566

:cool:

chx’s picture

chx commented
Status: Active » Closed (duplicate)
kenorb’s picture

kenorb commented

for core 5.x & 6.x #119025: l() appends the querystring with modified ampersand symbols