Posted by yaronw on June 27, 2008 at 5:48pm
Jump to:
| Project: | CCK Redirection |
| Version: | 5.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed (duplicate) |
Issue Summary
& characters in the URI are converted to & , thereby redirecting to a wrong destination than originally intended.
Comments
#1
I fixed it by replacing:
<?php$url = check_plain($data[0]['value']);
?>
with
<?php$url = str_replace('&', '&', check_plain($data[0]['value']));
?>
Unless someone has another idea?
#2
Marked #352667: Changes charecters when submitted as a duplicate.
#3
I change the _cck_redirection_divert function to account for node prepopulate urls. If you don't do this they won't complete correctly. It still does normal redirects correctly too.
function _cck_redirection_divert($element) {
//print $element['#item']['value'];
$url = $element['#item']['value'];
$urls = explode("&",$url,2);
drupal_goto($urls[0],$urls[1]);
}
This works in the 6.x version at least
#4
I'm seeing a similar problem, but rather than HTML-encoding query strings, they're being URL-encoded, so that (for instance) a CiviCRM URL such as
http://example.com/civicrm/contribute/transact?reset=1&id=4
becomes:
http://example.com/civicrm/contribute/transact%3Freset%3D1%2526id%3D4
... which unsurprisingly results in an "access denied" error.
Is there any workaround for this?
Thanks.
#5
This problem still exists. My fix above works. This function needs to be changed to
function _cck_redirection_divert($element) {
if (!empty($element['#item']['value'])) {
$url = $element['#item']['value'];
$urls = explode("&",$url,2);
drupal_goto($urls[0],$urls[1]);
}
}
#6
I made this patch (to version 5.x) in function cck_redirection_nodeapi:
--- cck_redirection.module+++ cck_redirection.module
@@ -33,12 +33,14 @@
if(!empty($fields)) {
$field = array_shift($fields);
$data = $node->$field['field_name'];
- $url = check_plain($data[0]['value']);
+ $url_array = explode('?', $data[0]['value'], 2);
+ $url = check_plain($url_array[0]);
+ $query = drupal_validate_utf8($url_array[1]) ? str_replace(array('"', "'", '<', '>'), array('"', ''', '<', '>'), $url_array[1]) : '';
if (!empty($url)) {
if(user_access('bypass redirection')) {
- drupal_set_message(t('This node is redirected to a !r', array('!r' => l(t('remote source'), $url))));
+ drupal_set_message(t('This node is redirected to a !r', array('!r' => l(t('remote source'), $url, null, $query))));
} else {
- drupal_goto($url);
+ drupal_goto($url, $query);
}
}
}
It works and it's (IMHO) secure.
EDIT: forgot 'null' between $url and $query parameter
#7
This is a duplicate of the work progressing over at Issue #593376. A solution there will solve both this issue, as well as other URL component problems.