You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Escaping of parameters to admin-ajax.php is apparently inconsistent. When creating a shorturl keyword such as some&, the action succeeds—but it is not possible to delete that same keyword because the & substring as a whole is urlencoded to %26 instead of only the & character itself.
Attempting to edit the same keyword also fails with "Error, URL not found", and the action buttons for that row become permanently grayed out until the admin page is reloaded.
Expectation
No response
Reproduction steps
Create and enable a plugin that allows & (&) in keywords.
Create a shorturl using the entity name form, e.g. custom keyword named some&.
Try to delete the resulting shorturl. YOURLS will say something wrong happened while deleting.
Access logs on the server will indicate that admin-ajax.php was called to delete the nonexistent keyword some%26.
Context
Note that this is not a problem when the character & appears in the keyword not followed by amp. For example, editing/deleting a custom shorturl named some&ersand works just fine, presumably because &ersand is not a known HTML entity name.
This is most likely related to the admin JavaScript incorrectly encoding things it shouldn't. I have not exhaustively tested all HTML entity names, but in addition to & I also reproduced the same problem with < and confirmed the problem does not occur for a keyword like some<symbol. The bottom line is that whatever component encodes the parameters for an AJAX request probably shouldn't be looking for HTML entity names in a URL parameter (especially since a valid HTML character reference is supposed to end in ;, e.g. &).
Higher-level background: I was attempting to figure out why the suggested approach to #3694 didn't work (adapting the allow-hyphens or similar charset plugin to allow a regular %20 space in shorturls), and happened to bump into this apparent bug when I selected & as another special character that would need to be escaped (as %26) in URLs.
(Will most likely open another issue about the unexpected behavior regarding (%20) soon.)
The text was updated successfully, but these errors were encountered:
Code of Conduct
Submission validity
Self troubleshooting
Version
1.9.2
Description
Escaping of parameters to
admin-ajax.php
is apparently inconsistent. When creating a shorturl keyword such assome&
, the action succeeds—but it is not possible to delete that same keyword because the&
substring as a whole is urlencoded to%26
instead of only the&
character itself.Attempting to edit the same keyword also fails with "Error, URL not found", and the action buttons for that row become permanently grayed out until the admin page is reloaded.
Expectation
No response
Reproduction steps
&
(&
) in keywords.some&
.Access logs on the server will indicate that
admin-ajax.php
was called to delete the nonexistent keywordsome%26
.Context
Note that this is not a problem when the character
&
appears in the keyword not followed byamp
. For example, editing/deleting a custom shorturl namedsome&ersand
works just fine, presumably because&ersand
is not a known HTML entity name.This is most likely related to the admin JavaScript incorrectly encoding things it shouldn't. I have not exhaustively tested all HTML entity names, but in addition to
&
I also reproduced the same problem with<
and confirmed the problem does not occur for a keyword likesome<symbol
. The bottom line is that whatever component encodes the parameters for an AJAX request probably shouldn't be looking for HTML entity names in a URL parameter (especially since a valid HTML character reference is supposed to end in;
, e.g.&
).Higher-level background: I was attempting to figure out why the suggested approach to #3694 didn't work (adapting the allow-hyphens or similar charset plugin to allow a regular %20 space in shorturls), and happened to bump into this apparent bug when I selected
&
as another special character that would need to be escaped (as%26
) in URLs.(Will most likely open another issue about the unexpected behavior regarding
(%20) soon.)
The text was updated successfully, but these errors were encountered: