[Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL

Mon Feb 25 00:34:06 CET 2019

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223

--- Comment #4 from David Cook <dcook at prosentient.com.au> ---
(In reply to Jonathan Druart from comment #3)
> Did you read the commit message and the bug description?

No, I didn't look it up in Git. Like Stackoverflow, I think it makes sense to
include the relevant content in the forum rather than sending people off
somewhere else. Providing a link isn't the same thing as providing a response. 

> I wrote a script to guess what needed to be escaped correctly, in <a
> href=/uri?param=[% value %]>, 'value' must be uri escaped, not html escaped.
> 

I think you've misunderstood me. I'm saying "href="[% ITEM_RESULT.uri | url %]"
is a problem because ITEM_RESULT.uri may already contain an escaped URL. For
instance, "https://idp.com?redirect_url=https%3A%2F%2Fsomewhere_else.com". If
you run use a filter like [% ITEM_RESULT.uri | url %], that'll make it
double-encoded which breaks the URL. It's a different use case. I'm not
describing building a URL in the template. I'm talking about when an entire URL
is already provided. Filtering it is problematic as you can't know how the URL
data is already going to be handled. (Although a person could write a filter
that parses the URL and escapes any unescaped parameters and rebuilds the URL,
but that's also more work that I doubt anyone wants to do right now.)

> This is true in ~90% of the situations, others (specific cases) need to be
> handled separately and fixed manually.

This is what I don't understand. I understand how the template can be fixed
manually, but can you explain to me how the scripts for auto-adding filters
will ignore manually fixed cases?

*clicks through to
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21526*

Are you referring to use of $raw instead? I don't understand what you're trying
to say. 

> If you found one you can provide a patch and I will test it.

This also confuses me. What do you mean by "one" here?

-- 
You are receiving this mail because:
You are watching all bug changes.