URLs are often double-escaped in smarty templates #4569

NateWr · 2019-03-04T16:45:32Z

We often use {url|escape ...} in a Smarty template when the URL contains user input. However, the {url} function already escapes the final URL, so this is unnecessary.

All instances of {url|escape ...} should be changed to {url ...}.

The text was updated successfully, but these errors were encountered:

asmecher · 2019-03-04T16:50:55Z

There is one case where the form {url|escape ...} is used in Javascript -- that should be changed to use json_encode instead. See lib/pkp/templates/controllers/grid/queries/form/queryForm.tpl:

$('#queryForm').pkpHandler(
 '$.pkp.controllers.form.CancelActionAjaxFormHandler',
   {ldelim}
     cancelUrl: {if $isNew}'{url|escape:javascript op="deleteQuery" queryId=$queryId csrfToken=$csrfToken params=$actionArgs escape=false}'{else}null{/if}
   {rdelim}
 );

The cancelUrl line should instead read:

 cancelUrl: {if $isNew}{url|json_encode op="deleteQuery" queryId=$queryId csrfToken=$csrfToken params=$actionArgs escape=false}{else}null{/if}

NateWr · 2022-09-05T14:29:24Z

PRs:
#8238
pkp/ojs#3537
pkp/omp#1197
pkp/ops#346

#4569 Use json_encode for URLs passed to JavaScript

pkp/pkp-lib#4569 Don't double-escape URLs

NateWr · 2022-09-06T15:04:05Z

Merged to main.

NateWr added the Try Me This issue might be good for a new contributor. Can you help us? label Mar 4, 2019

NateWr assigned thinkbulecount2 Aug 29, 2019

NateWr added a commit to NateWr/pkp-lib that referenced this issue Sep 5, 2022

pkp#4569 Use json_encode for URLs passed to JavaScript

bc2864b

NateWr added a commit to NateWr/ojs that referenced this issue Sep 5, 2022

pkp/pkp-lib#4569 Don't double-escape URLs

7cd456a

NateWr added a commit to NateWr/omp that referenced this issue Sep 5, 2022

pkp/pkp-lib#4569 Don't double-escape URLs

ec55593

NateWr added a commit to NateWr/ops that referenced this issue Sep 5, 2022

pkp/pkp-lib#4569 Don't double-escape URLs

a5bc9f8

NateWr assigned NateWr and unassigned thinkbulecount2 Sep 5, 2022

NateWr added the Housekeeping:1:Todo Any dependency management or refactor that would be nice to have some day. label Sep 5, 2022

NateWr added this to the 3.4 milestone Sep 5, 2022

NateWr added a commit that referenced this issue Sep 6, 2022

Merge pull request #8238 from NateWr/i4569_url_escape

9a71e85

#4569 Use json_encode for URLs passed to JavaScript

NateWr added a commit to pkp/omp that referenced this issue Sep 6, 2022

Merge pull request #1197 from NateWr/i4569_url_escape

a241bb7

pkp/pkp-lib#4569 Don't double-escape URLs

NateWr added a commit to pkp/ops that referenced this issue Sep 6, 2022

Merge pull request #346 from NateWr/i4569_url_escape

7b93bf4

pkp/pkp-lib#4569 Don't double-escape URLs

NateWr added a commit to pkp/ojs that referenced this issue Sep 6, 2022

Merge pull request #3537 from NateWr/i4569_url_escape

eb23700

pkp/pkp-lib#4569 Don't double-escape URLs

NateWr closed this as completed Sep 6, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

URLs are often double-escaped in smarty templates #4569

URLs are often double-escaped in smarty templates #4569

NateWr commented Mar 4, 2019

asmecher commented Mar 4, 2019 •

edited

Loading

NateWr commented Sep 5, 2022

NateWr commented Sep 6, 2022

URLs are often double-escaped in smarty templates #4569

URLs are often double-escaped in smarty templates #4569

Comments

NateWr commented Mar 4, 2019

asmecher commented Mar 4, 2019 • edited Loading

NateWr commented Sep 5, 2022

NateWr commented Sep 6, 2022

asmecher commented Mar 4, 2019 •

edited

Loading