WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 5 months ago

#35154 new defect (bug)

The admin_url filter might break ajaxurl usage

Reported by: jadpm Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords: reporter-feedback
Focuses: Cc:
PR Number:

Description

ajaxurl is a javascript global generated basically as

var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>';

admin_url() results get filtered by admin_url, which might add query arguments into ajaxurl, or at least modify it on a substantial way.

We have several instances where we assume that ajaxurl will be an URL without query arguments, like this one:

// wp-admin\js\tags-box.js 179
ajaxurl + '?action=ajax-tag-search&tax=' + tax,

That assumption might be completely wrong.

I am attaching a list of places where we define ajax_url and a list of places where we assume it is a clean, query-arguments-free URL. Note that those lists might not be complete, although I greped against WordPress trunk.

As a solution idea, we might want to create a javascript version of add_query_arg() and use it extensively.

Attachments (2)

definitions.txt (1.0 KB) - added by jadpm 4 years ago.
usage.txt (1.4 KB) - added by jadpm 4 years ago.

Download all attachments as: .zip

Change History (5)

@jadpm
4 years ago

@jadpm
4 years ago

#1 @stephenharris
4 years ago

As an aside, shouldn't they be using wp.ajax.settings.url rather than defining it themselves? (wp-util.js is a small dependency to add if it needs to be).

As for a js version of add_query_arg(), I'm not able to create a patch just now, but I use the following in a few plug-ins (it's not a strict port of add_query_arg()):

eo.add_query_arg = function( key, value, uri ){
        var re = new RegExp("([?&])" + key + "=.*?(&|$)", "i");
        var separator = uri.indexOf('?') !== -1 ? "&" : "?";
        if (uri.match(re)) {
                return uri.replace(re, '$1' + key + "=" + value + '$2');
        }else {
                return uri + separator + key + "=" + value;
        }
};

that could be modified to accept an object and URL so that you can more concisely add multiple key-value pairs.

#2 in reply to: ↑ description @johnbillion
4 years ago

  • Keywords reporter-feedback added

Replying to jadpm:

admin_url() results get filtered by admin_url, which might add query arguments into ajaxurl, or at least modify it on a substantial way.

What's the use case for an admin URL which contains query args? Is there an example of this out in the wild?

#3 @mikeschroder
4 years ago

  • Version trunk deleted
Note: See TracTickets for help on using tickets.