View Issue Details

IDProjectCategoryView StatusLast Update
0030204mantisbtfilterspublic2022-05-18 04:11
Reportertslanina Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Product Version2.25.4 
Summary0030204: Create Permalink - special characters handling
Description

If category name contains "&" character and this name is used in filter, mantis generates buggy link to the filter.
Example:
Category "f0 & f1", generated link :
website.com/search.php?project_id=99&category_id=f0%20&f1=&sticky=on&sort=last_updated&dir=DESC&hide_status=80&match_type=0

The f0[space][ampersand][space]f1 was parsed like f0[space], and name after ampersand(f1) is treated like next parameter, not like a part of the name (that's why there's "=" added after it).
The correct (percent encoding ) link should be :

website.com/search.php?project_id=99&category_id=f0%20%26%20f1&sticky=on&sort=last_updated&dir=DESC&hide_status=80&match_type=0

"f0%20&f1=" vs "f0%20%26%20f1"

(or & intead %26)

Steps To Reproduce

Create category with "&" character in the name.
Make a filter with this category name as a parameter.
use Create Permalink (from "the hamburger" menu) to generate a link to the filter

Additional Information

Function filter_encode_field_and_value (filter_api.php) calls php urlencode() for each field values. Maybe the value(s) should be processed with htmlspecialcharacters() or similar function first ?
(to replace & with & or %26)

TagsNo tags attached.

Activities

dregad

dregad

2022-05-13 05:45

developer   ~0066579

I can reproduce this.

Function filter_encode_field_and_value (filter_api.php) calls php urlencode() for each field values. Maybe the value(s) should be processed with htmlspecialcharacters() or similar function first ?

I believe filter_encode_field_and_value()'s behavior is correct - given my test category "a&b", it is passed on to permalink_page.php as search.php?...&category_id=a%26b.

The problem is with string_sanitize_url(), which for security reasons is decomposing the URL parameter to ensure it does not contain any malicious component; doing so, it urldecodes it so the %26 is changed back to ampersand.

At this point I'm not really sure what's the best way to fix this. I need to think about it, there is a security trade-off here.

dregad

dregad

2022-05-13 09:28

developer   ~0066580

@tslanina I think I found a solution. Please test the code in the following pull request:
https://github.com/mantisbt/mantisbt/pull/1812

dregad

dregad

2022-05-18 04:07

developer   ~0066593

@tslanina any feedback ?

tslanina

tslanina

2022-05-18 04:11

reporter   ~0066594

I'm out of office for a couple of days .. - will test it tomorrow and give a feedback.