When sending a message, if you select a username that contains an apostrophe, it will be returned encoded (replacing the apostrophe with '. That causes the form to throw an error that the username doesn't exist.

Files: 
CommentFileSizeAuthor
#16 privatemsg_prevent-encoded-username-autocomplete-1694558-15.patch1.76 KBSutharsan
PASSED: [[SimpleTest]]: [MySQL] 3,125 pass(es).
[ View ]
#12 D7-privatemsg_prevent-encoded-username-autocomplete-1694558-10.patch1.78 KBstefgosselin
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch D7-privatemsg_prevent-encoded-username-autocomplete-1694558-10.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]
#11 privatemsg_prevent-encoded-username-autocomplete-1694558-9.patch1.24 KBstefgosselin
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch privatemsg_prevent-encoded-username-autocomplete-1694558-9_0.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]
#9 privatemsg_prevent-encoded-username-autocomplete-1694558-9.patch1.24 KBstefgosselin
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch privatemsg_prevent-encoded-username-autocomplete-1694558-9.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]
#3 privatemsg_prevent-encoded-username-autocomplete-1694558-2.patch1.08 KBmstef
PASSED: [[SimpleTest]]: [MySQL] 3,125 pass(es).
[ View ]
#1 privatemsg_prevent-encoded-username-autocomplete-1694558.patch479 bytesmstef
FAILED: [[SimpleTest]]: [MySQL] 3,124 pass(es), 1 fail(s), and 1 exception(s).
[ View ]

Comments

Status:Active» Needs review
StatusFileSize
new479 bytes
FAILED: [[SimpleTest]]: [MySQL] 3,124 pass(es), 1 fail(s), and 1 exception(s).
[ View ]

What do you think about using strip_tags() instead of check_plain() in theme_privatemsg_username()?

Status:Needs review» Needs work

The last submitted patch, privatemsg_prevent-encoded-username-autocomplete-1694558.patch, failed testing.

Status:Needs work» Needs review
StatusFileSize
new1.08 KB
PASSED: [[SimpleTest]]: [MySQL] 3,125 pass(es).
[ View ]

Update the test to match

Well, strip_tags() would on the other side break a username that has in it, which is not possible by default but still.

Not sure, how does core handle this? There is a user autocomplete on the node author textfield, I think.

It uses:

function user_autocomplete($string = '') {
  $matches = array();
  if ($string) {
    $result = db_select('users')->fields('users', array('name'))->condition('name', db_like($string) . '%', 'LIKE')->range(0, 10)->execute();
    foreach ($result as $user) {
      $matches[$user->name] = check_plain($user->name);
    }
  }
  drupal_json_output($matches);
}

Also has check_plain(), but I just tested and the autocomplete doesn't return it to the textfield encoded, and there's no problems submitted.

Hmm..?

Ah yes, makes sense. Only the label that is displayed is run through check_plain(), the key is then what is actually inserted into the textfield, and that doesn't need to be escaped. That's the way then :)

Yea but it's not displayed on the textfield as escaped..that's what is confusing me.

And what's confusing me is that privatemsg_autocomplete() is also only escaping the label. But not working..

I have the same issue. Only want to note that probably it is a problem in the js?

StatusFileSize
new1.24 KB
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch privatemsg_prevent-encoded-username-autocomplete-1694558-9.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]

The fix seems to do the trick but the bundled private message realname module has the same issue.

Attached patch replicates the strategy in privatemsg_realname.module.

Status:Needs review» Needs work

The last submitted patch, privatemsg_prevent-encoded-username-autocomplete-1694558-9.patch, failed testing.

StatusFileSize
new1.24 KB
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch privatemsg_prevent-encoded-username-autocomplete-1694558-9_0.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]

Retest patch at #9

StatusFileSize
new1.78 KB
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch D7-privatemsg_prevent-encoded-username-autocomplete-1694558-10.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]

Retest patch at #9

Status:Needs work» Needs review

Status:Needs review» Needs work

I think testbot is choking on the patch because it applies a fix in a submodule (privatemsg_realname). To anyone stumbling on this thread needing the fix for privatemsg_realname, patch 12 fixed up the issue for me.

Status:Needs work» Needs review
StatusFileSize
new1.76 KB
PASSED: [[SimpleTest]]: [MySQL] 3,125 pass(es).
[ View ]

Patch re-rolled and made to apply cleanly.

Status:Needs review» Reviewed & tested by the community

(deleted)

Status:Reviewed & tested by the community» Needs review

Re-setting status; sorry, mistakenly posted on wrong issue (had multiple tabs open- sorry)

Status:Needs review» Reviewed & tested by the community

I tested this patch with both realname usernames and standard usernames with apostrophes, including multiple apostrophes, and it worked. Note that on 7.x-2.x, for this patch to work, another patch (https://drupal.org/node/1956038) must be applied.

Version:7.x-1.x-dev» 6.x-2.x-dev
Status:Reviewed & tested by the community» Patch (to be ported)

Committed and pushed. Do we need this for 6..x as well, not sure right now.