Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#56339 closed defect (bug) (fixed)

Issue with plugin install pagination

Reported by: praful2111's profile praful2111 Owned by: audrasjb's profile audrasjb
Milestone: 6.1 Priority: normal
Severity: normal Version:
Component: Plugins Keywords: has-patch has-screenshots
Focuses: javascript, administration Cc:

Description

When users search for any plugin with any special character(&) and click on pagination page 2 the URL will consider new parameters after the &.

Here is the video link - https://www.awesomescreenshot.com/video/10352796?key=68a9c344d22c2b84328dcfd7da152c19

Attachments (4)

56339.patch (460 bytes) - added by praful2111 2 years ago.
I have updated admin side plugin js
56339.2.patch (460 bytes) - added by praful2111 2 years ago.
I have sensitize value
f7ace9a32a1f927c24ddb6d4a25eac5a.gif (446.8 KB) - added by audrasjb 2 years ago.
Before patch: query string not encoded
87346ec2b5ec90460f6483df7e6c54d9.2.gif (530.9 KB) - added by audrasjb 2 years ago.
After patch: query string properly encoded

Download all attachments as: .zip

Change History (20)

@praful2111
2 years ago

I have updated admin side plugin js

#1 @audrasjb
2 years ago

Hello, thank you for the ticket and patch!

Moving for 6.1 consideration.

Maybe event.target.value should be sanitized before/outside of the value assignment?

#2 @audrasjb
2 years ago

  • Milestone changed from Awaiting Review to 6.1

#3 @audrasjb
2 years ago

  • Component changed from Upgrade/Install to Plugins

#4 @praful2111
2 years ago

@audrasjb No directly passing the value under the funcation, Not sanitized before/outside of the funcation.

#5 @costdev
2 years ago

  • Keywords changes-requested added

I can verify that the issue exists and that the patch fixes one instance of &.

To deal with all instances of &, for example, search & replace & search again the replace() call should be changed to:

event.target.value.replace( /&/g, '%26' )

#6 @audrasjb
2 years ago

I'm not a specialist, but maybe it's better to use something like encodeURIComponent?

#7 @audrasjb
2 years ago

Tested with:

const uri = 'test&test';
const encoded = encodeURIComponent(uri);
console.log(uri);
console.log(encoded);

> "test&test"
> "test%26test"

#8 @costdev
2 years ago

Good call @audrasjb, that seems to work just fine with multiple & and with various additional characters.

@praful2111
2 years ago

I have sensitize value

#9 @praful2111
2 years ago

  • Keywords changes-requested removed

@audrasjb
2 years ago

Before patch: query string not encoded

@audrasjb
2 years ago

After patch: query string properly encoded

#10 @audrasjb
2 years ago

  • Keywords has-screenshots added
  • Owner set to audrasjb
  • Status changed from new to reviewing

#12 @audrasjb
2 years ago

I added a PR to fix a small Coding standards issue in the previous patch, add also to add a missing occurence.

@costdev @praful2111 looks good to you?

Last edited 2 years ago by audrasjb (previous) (diff)

costdev commented on PR #3068:


2 years ago
#13

LGTM 👍

#14 @praful2111
2 years ago

Looks good to me

#15 @audrasjb
2 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 53844:

Plugins: Properly encode query string s parameter in plugin search.

This ensures special characters like & are properly encoded when passed as URL parameter.

Props praful2111, audrasjb, costdev.
Fixes #56339.

Note: See TracTickets for help on using tickets.