Wrong encoding of parameters in the afterLoginUrl #1330
Description
Short description of the issue
The ProcessLogin module allows whitelisting URL params that should preserved on login to the backend. This works great except for the fact that the params get html-encoded when the afterLoginUrl is created though it should be url-encoded. This behaviour occurs when a backend user has a deeplink to the backend but needs to authenticate before he can open the actual page.
Given that the user it not logged-in and clicks on this example URL:
https://domain.com/processwire/tools/ourmodule?param=fünf
Given also that we've whitelisted the param in the ready.php by hooking into the ProcessLogin::getBeforeLoginVars like this:
$wire->addHookAfter("ProcessLogin::getBeforeLoginVars", function(HookEvent $event) {
$vars = $event->return;
$foo = $this->wire->input->get('param');
if($foo !== null) $vars['param'] = $this->wire->sanitizer->text($foo);
$event->return = $vars;
});
Expected behavior
After successful login the user should be redirected to the original URL:
https://domain.com/processwire/tools/ourmodule?param=fünf
Actual behavior
Instead the value fünf got html-encoded, resulting in:
https://domain.com/processwire/tools/ourmodule?param=fünf
Which essentially cuts the value of param to "f" and adds a new param uuml;nf without a value.
Optional: Suggestion for a possible fix
In the ProcessLogin::__getAfterLoginUrl() this line should be changed from
if(!is_int($value)) $value = $this->wire('sanitizer')->entities($value);
to
if(!is_int($value)) $value = rawurlencode($value);
Setup/Environment
- ProcessWire version: 3.0.165