Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#22693] - language switcher generated URI show "&" instead of "&"

?
avatar pieter-groeneweg
pieter-groeneweg
18 Oct 2018

Steps to reproduce the issue

create a multilingual site.
do NOT enable SEF URL's

Expected result

URI under the flags to show URI with & as separator of the querystring

Actual result

URI under the flags do show URI querystring separator as &

System information (as much as possible)

My system is J!3.8.13 on PHP7.2.11, MySQL5.5.33, Apache2.2.15

Additional comments

See also https://forum.joomla.org/viewtopic.php?p=3544309

Possible solution that works for me:

replace all
htmlspecialchars(JUri::current(), ENT_COMPAT, 'UTF-8')
with
JUri::current()

avatar pieter-groeneweg pieter-groeneweg - open - 18 Oct 2018
avatar joomla-cms-bot joomla-cms-bot - change - 18 Oct 2018
Title
language switcher generated URI show "&" instead of "&"
language switcher generated URI show "&" instead of "&"
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 18 Oct 2018
avatar infograf768 infograf768 - change - 18 Oct 2018
The description was changed
avatar infograf768 infograf768 - edited - 18 Oct 2018
avatar PhilETaylor
PhilETaylor - comment - 19 Oct 2018

tagging this one in case someone is in the mood for both at the same time #22713

avatar infograf768 infograf768 - change - 19 Oct 2018
Status New Closed
Closed_Date 0000-00-00 00:00:00 2018-10-19 13:20:32
Closed_By infograf768
avatar infograf768
infograf768 - comment - 19 Oct 2018

Closing. This is not a bug. It was changed for security reason:
https://developer.joomla.org/security-centre/740-20180602-core-xss-vulnerability-in-language-switcher-module

avatar infograf768 infograf768 - close - 19 Oct 2018
avatar pieter-groeneweg
pieter-groeneweg - comment - 19 Oct 2018

Maybe reopen..

Change
htmlspecialchars($language->link, ENT_QUOTES, 'UTF-8')
into
JFilterOutput::ampReplace(htmlspecialchars($language->link, ENT_QUOTES, 'UTF-8', FALSE))

Works too.. same format as used in menu module. That should do it I assume. At least with me.

avatar infograf768
infograf768 - comment - 20 Oct 2018

Forwarded to JSST to check if that does not re-introduce the vulnerability.

avatar infograf768 infograf768 - change - 20 Oct 2018
Status Closed New
Closed_Date 2018-10-19 13:20:32
Closed_By infograf768
avatar infograf768 infograf768 - reopen - 20 Oct 2018
avatar infograf768
infograf768 - comment - 20 Oct 2018

I am told it's OK to patch this way.
Reopened.
Can you propose the PR?

avatar infograf768
infograf768 - comment - 20 Oct 2018

in fact, do not worry about that. I will include that patch in a pending PR i made for this module.

avatar pieter-groeneweg
pieter-groeneweg - comment - 20 Oct 2018

Sorry I am out for the weekend.. did not read this any earlier to respond.. thanks! Keep up the good work!

avatar infograf768 infograf768 - change - 21 Oct 2018
Status New Closed
Closed_Date 0000-00-00 00:00:00 2018-10-21 04:36:10
Closed_By infograf768
avatar infograf768
infograf768 - comment - 21 Oct 2018

Please test #22558
Closing as we have a patch.

avatar infograf768 infograf768 - close - 21 Oct 2018
avatar infograf768
infograf768 - comment - 21 Oct 2018

Hmm
In fact I have tested this here and there is no change in the link produced...
I should have tested before.

avatar infograf768 infograf768 - change - 21 Oct 2018
Status Closed New
Closed_Date 2018-10-21 04:36:10
Closed_By infograf768
avatar infograf768
infograf768 - comment - 21 Oct 2018

Reverting JFilterOutput::ampReplace as this will not do the job.
reopening.

avatar infograf768 infograf768 - reopen - 21 Oct 2018
avatar infograf768
infograf768 - comment - 21 Oct 2018

I may have another solution.
Will keep you posted.

avatar infograf768
infograf768 - comment - 21 Oct 2018

OK, now #22558 can be tested.
closing again.

avatar infograf768 infograf768 - close - 21 Oct 2018
avatar infograf768 infograf768 - change - 21 Oct 2018
Status New Closed
Closed_Date 0000-00-00 00:00:00 2018-10-21 09:46:24
Closed_By infograf768

Add a Comment

Login with GitHub to post a comment