User tests: Successful: Unsuccessful:
Pull Request for Issue #19130.
Use urlencode()
function for result of base64_encode()
in URL query string.
For develop joomla website on URL like http://localhost/~user/joomla
function base64_encode()
generates unsafe string in URL query.
Test issue #19130
Additional:
Login as admin, go to some page (ex user login page) on front end and save/save and close/cancel module settings. After save + save and close/save and close/cancel you should back to previous page.
Go to category list and find the button "New" (add new article to category).
Click on link and then cancel, or save article. After you should back to category list.
Then try to edit some article from the category list. Save or cancel and back to category list.
The variable return
is correct and you will be redirected to the previous page.
This is only visible on website that contains ~
in address.
The variable return
is invalid and joomla redirects you to home page.
None
Status | New | ⇒ | Pending |
Category | ⇒ | Administration com_menus Templates (admin) Front End com_config com_content com_users Libraries |
Labels |
Added:
?
|
Title |
|
Yes, i will test asap, maybe just not today...
Is there a chance to test this week?
tested, works as expected
tested successfully
I have tested this item
With/without PR, I followed the test instructions #19130 and it redirected to the home page instead of article category list page.
The New
button URL has the +
:
/~user/joomla/component/content/?task=article.add&return=aHR0cDovL2xvY2FsaG9zdC9+dXNlci9qb29tbGEvYXJ0aWNsZS1jYXRlZ29yeS1saXN0&a_id=0&catid=19
well, worked fine with me the method with module editing: without patch, went back to index, with patch, went back to initial page.
are you sure you refreshed properly after applying the patch (i'm asking before it happened to me... patch, go back to index, then to another menu item, edit module, save and close)
Yes. To reproduce:
Article Category List
.New
button.Cancel
button.On a site without ~
, it redirects to the article category list page.
you are right, the base64 return link on the 'new' button stll has a +
it's because of this:
https://github.com/joomla/joomla-cms/blob/staging/components/com_content/helpers/icon.php#L49
the return uri will be decoded when passing through JRoute::_() -> you get the +
I have tested this item
see PR comments, having issue with new button from icon content helper.
this might happen elsewhere as well...
Yes.
There is a problem with JRoute::()
which decode
%2B
back to +
.
I can use urlencode($return)
twice in JRoute::()
or try to fix JRoute::()
which is not easy and it will break unit tests.
This create our problem:
joomla-cms/libraries/vendor/joomla/uri/src/AbstractUri.php
Lines 308 to 311 in 7d3a3ef
May be I should move the value of return to outside: JRoute::_('...&return=') . urlencode($return)
Indeed, that is what i wrote in the issue: the problem is that JRoute::_ calls UriHelper::parse_url() , which decodes the params.
I don't think double url_encode is a good solution, it's a hack.
Adding the return outside of JRoute::_ is better, but you need to make sure if there is already a ?var=xx in the returned url, as sef components could return an url without get variables.
I fixed previous issues. Please test.
The best way would be to remove urldecode
from:
joomla-cms/libraries/vendor/joomla/uri/src/AbstractUri.php
Lines 308 to 311 in 7d3a3ef
and replace it by something better but this would break B/C.
I have tested this item
This works, but it feels wrong... I agree with you it's JRoute::_() that should be fixed. I am not sure why we urldecode is used there, maybe this needs to be forwarded to people that coded this initially, or have a better understanding of the router maybe (not saying you don't, but speaking for me)
I tried to fix JUri
and remove urldecode
and decode only a few chars like ('[', ']') but it changes behaviour and unit tests fail.
The issue was introduced at:
https://github.com/joomla-framework/uri/blob/b91252fe255a7da9f8ab365750db693891d3324d/src/AbstractUri.php#L310
The last changes was done a long time ago.
I looked at drupal and wordpress:
and they do not use urldecode
.
I'll put this on Glip's channel.
7 days ago I asked for advice on Glip channel but there is no interest.
In this PR I use two solutions:
str_replace('return=return', 'return=' . $return, $link)
because it is safe after JRoute/Juri
will be patched.urlencode(urlencode($return))
where I do not have a full link but only partial query available.JRoute/Juri
will be patched.Using method like JRoute::_('...&return=') . urlencode($return)
is wrong too because JRoute
may add a new parameter &Itemid=...
and then we end with &return=&Itemid=...
.
IMHO I could try to change JUri::buildQuery
but it breaks B/C and has to wait till J4.
@julienV If you mark it as test success then maintainers will decide.
Due to lack of interest, I close it.
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-06-25 20:58:01 |
Closed_By | ⇒ | csthomas |
@julienV can you please test as you reported Issue #19130?