Bug #16583
closed& instead of & in urls with tslib_pibase->pi_linkTP_keepPIvars_url and tslib_cObj->getTypoLink_URL
0%
Description
function pi_linkTP_keepPIvars calls typolink in the end and there the url of the link is encoded by htmlspecialchars (line 5321).
pi_linkTP_keepPIvars_url calls pi_linkTP_keepPIvars to generate the link
and $this->cObj->lastTypoLinkUrl to get the url only. But this url isn't encoded by htmlspecialchars.
getTypoLink_URL also uses lastTypoLinkUrl to get the url only.
Are there any side effects when line
return $this->cObj->lastTypoLinkUrl; / return $this->lastTypoLinkUrl;
would be changed in
return htmlspecialchars($this->cObj->lastTypoLinkUrl); / return htmlspecialchars($this->lastTypoLinkUrl);
(issue imported from #M4260)
Updated by Michael Stucki about 18 years ago
Yes!! This can't be changed for a simple reason: TYPO3 is mainly a CMS to generate web pages, but it can also be used to create any kind of data. Just consider that there are lots of data formats which don't expect all URLs to be htmlspecialchar'ed...
Therefore I'm going to close this issue. It's not a bug, it's a feature! ;-)
Updated by Marc Bastian Heinrichs about 18 years ago
Are you having the code of function typolink in mind?
if ($GLOBALS['TSFE']->spamProtectEmailAddresses === 'ascii' && $finalTagParts['TYPE'] === 'mailto') {
$res = '<a href="'.$finalTagParts['url'].'"'.($title?' title="'.$title.'"':'').$finalTagParts['targetParams'].($linkClass?' class="'.$linkClass.'"':'').$finalTagParts['aTagParams'].'>';
} else {
$res = '<a href="'.htmlspecialchars($finalTagParts['url']).'"'.($title?' title="'.$title.'"':'').$finalTagParts['targetParams'].($linkClass?' class="'.$linkClass.'"':'').$finalTagParts['aTagParams'].'>';
}
So EVERY url you get with typolink, but mailto ascii, is htmlspecialchar'ed.
Why not the lastTypoLinkUrl?
Updated by Michael Stucki about 18 years ago
You mean getTypoLink_URL() not lastTypoLinkUrl() (which doesn't exist as a method) right?
- typolink() outputs a "link-wrapped string"
- getTypoLink_URL() outputs "The URL"
I've copied these parts from the function declarations in tslib_content.php. Since the URL is not bound to HTML links only, it is clear that the output must not be htmlspecialchar'ed.
However, for HTML links it is indeed expected.
The solution is easy: If you call the getTypoLink_URL() function, make sure to send it through htmlspecialchars() afterwards.
- michael
Updated by Marc Bastian Heinrichs about 18 years ago
Hi Michael,
of course, lastTypoLinkUrl is an attribute of tslib_cObj.
With functions
- tslib_cObj->getTypoLink_URL()
- tslib_cObj->typoLink_URL()
- tslib_pibase->pi_linkTP_keepPIvars_url
you get the value of lastTypoLinkUrl.
I don't understand the difference between getting the link-wrapped string or only the URL, because in every case of url-type lastTypoLinkUrl is the string, that is used for generating the html-link.
In my opinion (by the view of an extension-programmer) the result of the url must the same, regardless of which function he uses, the one, that returns only the URL, or the one, that returns link-wrapped URL.
Perhaps it's the point of view. I will use htmlspecialchars in my extension now.
Marc Bastian
Updated by Popy no-lastname-given about 18 years ago
If you want to use something like "header('Location: someurl'); You need the pure URL.
If you want to set a returnUrl, you need to rawurlencode the pure URL.
The getTypoLink_URL() function returns an URL, not an htmlspecialchars'ed URL, that's all.
Updated by Marc Bastian Heinrichs about 18 years ago
I got it. It has to be how it's realized now.
Stucki can you close the bug, please?
THX