I am having some problems with the encoding of some titles sent to various services. For example, if the node title contains an apostrophe, such as

node' title

The service (verified with twitter and delicious.com) prompts for the following title:

node' title

Comments

TheCrow’s picture

Status: Active » Needs review
StatusFileSize
new287 bytes

A patch to test

TheCrow’s picture

Version: 6.x-2.1 » master
StatusFileSize
new287 bytes

This is for 7.x-2.1

an_mo’s picture

the patch for drupal 6 works for me/
thanks

Feet’s picture

Patch in #1 for D6 works great for me

dww’s picture

Assigned: Unassigned » dww
StatusFileSize
new300 bytes

Just marked #1645488: Twitter posts ' instead of apostrophes duplicate. I'm hitting the same bug.

Part of me thinks this is a deeper problem of double encoding. Ultimately, you're always populating $links to be used via theme('links', $links), and stuffing the query (after custom string manipulation to split the URL at ?) into $link['query'] as a single string. However, theme_links() eventually calls url() which will encode the query for you via drupal_query_string_encode() (oh, only if it's an array, hrm). ;) Heh, never mind. Although, it does make me wonder if it wouldn't be easier to just propagate all the query strings around via arrays since that'd make it easier to alter, would avoid a bunch of complicated string manipulation, and would allow core to handle the encoding properly for us instead of trying to do it all ourselves...

Anyway, patch #2 is not the right fix. _service_links_get_node_title() is only called by _service_links_get_tags() which is using it to populate all the various tokens for replacing URLs. These values aren't being rendered as HTML (in which case, check_plain() would be be appropriate), but are being used inside URLs. So, we need rawurlencode() and friends, not check_plain(). Which is exactly what we're calling in those cases. The raw <title> is raw (and according to grep, unused, anyway).

My attached patch is a better approach. Just return the $title directly, don't try to modify it at all, and let rawurlencode() do the right thing. check_plain() only makes sense for displaying untrusted text to a browser, not for building URLs. I recommend http://acko.net/blog/safe-string-theory-for-the-web if you haven't already read it.

I've tested this with a node titled Testing <script>alert('xss')</script> title and it all works as expected. No XSS alert thrown, URLs are proper, and it shows up correctly inside Twitter's tweet composing text area once you follow the service link to twitter.

BTW, this patch applies cleanly to both 7.x-2.x and 6.x-2.x.

Thanks!
-Derek

BeaPower’s picture

when will these be committed, having problems in current d7 version... 7.x-2.1

dww’s picture

@BeaPower: They'll be committed once there are sufficient reviews and testing of the patches that the maintainer feels confident in them. You could help with this by testing the patch on a dev site for your site and reporting the results here.

Thanks,
-Derek

matmasr’s picture

I have been experiencing a similar issues with Views 7.x-3.3. I have a view that is filtering nodes based on a taxonomy term. In that page layout, I have chosen to override the page title with my context argument "%1" which refers to the taxonomy term.
When a taxonomy term has a single quote ', it is displayed as ' instead. Also, the "&" character is showing up as &Amp; instead. I believe this may be a Views bug ?

dww’s picture

@matmasr: Please search in the views issue queue for an existing bug report about that and follow that issue. This issue is strictly about service_links, not views.

Thanks,
-Derek

matmasr’s picture

@dww ... thanks for the note. Apologies for posting here. Just though this is a common bug, independent of Views or service_links. I did post again at in Views issues que

sjancich’s picture

Patch in #5 worked for me!

simon georges’s picture

Version: master » 7.x-2.x-dev

Changing version during issue queue cleaning.

simon georges’s picture

Status: Needs review » Reviewed & tested by the community

Several people confirmed it works.

TheCrow’s picture

Status: Reviewed & tested by the community » Fixed

Pushed #5!

dww’s picture

Hurray, thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

Issue summary: View changes

added code tags to escape the bug report so we actually see what the bug is. ;)