Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot edit/delete a shorturl ending in an HTML entity &name #3697

Open
5 tasks done
dgw opened this issue Dec 30, 2023 · 0 comments
Open
5 tasks done

Cannot edit/delete a shorturl ending in an HTML entity &name #3697

dgw opened this issue Dec 30, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@dgw
Copy link
Member

dgw commented Dec 30, 2023

Code of Conduct

Submission validity

  • This is not a personal support request, that should be posted on discussions community.
  • I checked current issues and this request isn't a duplicate of an existing issue, opened or closed.

Self troubleshooting

Version

1.9.2

Description

Escaping of parameters to admin-ajax.php is apparently inconsistent. When creating a shorturl keyword such as some&amp, the action succeeds—but it is not possible to delete that same keyword because the &amp substring as a whole is urlencoded to %26 instead of only the & character itself.

Attempting to edit the same keyword also fails with "Error, URL not found", and the action buttons for that row become permanently grayed out until the admin page is reloaded.

Expectation

No response

Reproduction steps

  1. Create and enable a plugin that allows & (&) in keywords.
  2. Create a shorturl using the entity name form, e.g. custom keyword named some&amp.
  3. Try to delete the resulting shorturl. YOURLS will say something wrong happened while deleting.

Access logs on the server will indicate that admin-ajax.php was called to delete the nonexistent keyword some%26.

Context

Note that this is not a problem when the character & appears in the keyword not followed by amp. For example, editing/deleting a custom shorturl named some&ersand works just fine, presumably because &ersand is not a known HTML entity name.

This is most likely related to the admin JavaScript incorrectly encoding things it shouldn't. I have not exhaustively tested all HTML entity names, but in addition to &amp I also reproduced the same problem with &lt and confirmed the problem does not occur for a keyword like some&ltsymbol. The bottom line is that whatever component encodes the parameters for an AJAX request probably shouldn't be looking for HTML entity names in a URL parameter (especially since a valid HTML character reference is supposed to end in ;, e.g. &).

Higher-level background: I was attempting to figure out why the suggested approach to #3694 didn't work (adapting the allow-hyphens or similar charset plugin to allow a regular %20 space in shorturls), and happened to bump into this apparent bug when I selected & as another special character that would need to be escaped (as %26) in URLs.

(Will most likely open another issue about the unexpected behavior regarding (%20) soon.)
@dgw dgw added the bug Something isn't working label Dec 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dgw