Closed (fixed)
Project:
Pathologic
Version:
6.x-3.4
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
22 Dec 2009 at 17:06 UTC
Updated:
12 Aug 2011 at 23:36 UTC
Jump to comment: Most recent file
Comments
Comment #1
Garrett Albright commentedFilenames shouldn't have ampersands in them. Stop breaking the internet.
But theoretically, if you passed Pathologic a path with an ampersand in it, it should be converted to
%26, not&(or?amp). I might have to experiment a bit and look into why that's happening later. Probably won't be soon, though, unfortunately.Comment #2
heine commentedJust a note: because the pathologic filter is intended to run after the HTML filter, it always receives an escaped ampersand (
&).Next, please note that
http://example.com/foo&baris valid per RFC 2396 and should therefor not be converted to ?; it is not part of the query string.Comment #3
heine commentedWe appear to have crossposted.
A small aside: A URI is not necessarily a filename.
Further from the RFC
Comment #4
Garrett Albright commentedYes, you're correct, of course. But it's easier for me to blame you for using the module in an unanticipated or untested way than for me to admit and correct any fault in the code.
Well, I would hope that the HTML filter would be wise enough to not escape values in HTML attributes. But even if not, I don't think it's the culprit here, since you mentioned that the problem was still happening even after disabling all other filters. And I can't imagine what in Pathologic's code would be converting & to ?. But as I said, I'll experiment once the holidays stop spinning me around.
Comment #5
lambic commentedI agree that having ampersands in filenames is horrible, but filefield et al. allow it, so until they start rejecting them we have to expect our users to do dumb stuff like this. I'm still trying to persuade people not to use spaces...
Comment #6
heine commentedI do not use the pathologic filter. I also missed your joke :)
The HTML filter is a wrapper for filter_xss and it has to make sure there are no unescaped ampersands in the filtered text. The snippet below is invalid HTML due to the unescaped ampersand:
It should be:
So, when the HTML filter is disabled, one has to manually enter
&, giving pathologic yet again an entity.Comment #7
Garrett Albright commentedUnless I've been wrong about this for over a decade, that HTML is perfectly valid because the ampersand is unambiguously in a value of an HTML tag attribute. But maybe we're confusing the issue…?
(Also, my bad for not noticing that Heine wasn't the OP.)
Comment #8
heine commentedI'm very sorry, but you've been wrong for a decade. Blame the forgiving useragents!
We're not confusing the issue; there really are two issues here.
&in attributes, not&.&to?).If you still want to support invalid HTML, you could opt for supporting a single
&in addition to&as well.Comment #9
Garrett Albright commentedlambic, I just did some work on this and believe I may have solved it. I committed my changes; when a new dev release becomes available, please download it and give it a try and see if it corrects this problem for you (note that you'll have to clear your site's cache or edit and change the content that path is in before you'll see an effect).
Comment #10
lambic commentedI'm back at work today, I'll try to test it this afternoon.
Comment #11
lambic commentedI'm not seeing a new dev release, the current release is dated july.
Comment #12
Garrett Albright commentedGrr. Stupid CVS.
I'll do another push when I can, but the code is at home and I'm at work at the moment. I meant to do so last night, but it slipped my mind.
Comment #13
Garrett Albright commentedAll right, I can't figure out how to get CVS to stop being stupid and there doesn't seem to be anybody on IRC at the moment who can tell me how to get CVS to stop being stupid, so here's a stupid archive.
Comment #14
lambic commentedThe stupid archive looks good, tested with and without other input filters enabled.
Comment #15
Garrett Albright commentedJust to be clear, by "looks good," you mean it's now working as expected?
Comment #16
lambic commentedyes, working as expected.
Comment #17
Garrett Albright commentedI went ahead and made a new full beta release which incorporates these changes. Please test it out if you have a moment and confirm that it still works.
Comment #18
lambic commentedI've tested the new release and it seems to work fine. The user who reported the problem will be testing it sometime in the next few days so I'll report back if she has any issues but I don't anticipate any.
Thanks for the prompt update!
Comment #19
Garrett Albright commentedIn that case, I'll go ahead and close this issue out. Please feel free to re-open it if you see any similar issues pop up.
Comment #21
brad.bulger commentedI don't know if you'll want anything to do with this, but there's a remaining problem - describing here for people who might run into it.
i'm finding that with clean_urls and Pathologic enabled, links to files that have ampersands in their names no longer work, the ampersands getting changed to '%2526'. it's url() that's doing it, which as far as i can tell is for the reason described in #119876: UNable to use Ampersand within Wiki title - it's double-encoded for the clean URL. links to a Drupal path that contains an ampersand work fine, so it looks like that's working OK. the problem with file links is that they don't get decoded, because they're not known to Drupal. they're just files on the file system.
to get around this, i added code to Pathologic after the url() call that undoes the ampersand encoding if the
$paths['path']value is a file. probably it should handle other characters as well, this is just the only one that was a problem for us.