We found that securepages rewrites #action URLs when they are external, and not pointing to the local site. This broke some of our functionality and through investigation, we found that securepages_form_alter() does not check whether the #action at hand is not local to the site and points to an outside URL instead.
This patch checks whether the action is a mailto: URL or contains a protocol, in which case it assumes it is external. It could be further enhanced by checking whether an external looking URL is in fact internal to the site, but looking through the core code and contrib modules we use, it looks like all of them use url() without the external TRUE parameter to generate internal url()s for #actions, so they generate protocol-free URLs.
Attached is a simple patch rolled from our SVN repository.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | securepages_external.patch | 502 bytes | gábor hojtsy |
| securepages_external.patch | 490 bytes | gábor hojtsy |
Comments
Comment #1
gábor hojtsyOh, gosh. Since mailto: is at the beginning of an #action, it will return 0 which might look FALSE here. So check specifically for that. :// at the beginning is not a protocol identifier pattern, so no problem there.
Comment #2
grendzy commentedThe 5.x branch is no longer supported. If this issue is still present in a current version of Secure Pages, please update the issue summary, change the version field, and re-open the issue.