FormHelper::create() URL escapes action attribute
Reported by Adam Bartholomew | May 30th, 2011 @ 02:29 PM | in 1.3.10 (closed)
What I did
$form->create() on a page with querystring /customers/confirm?email=email%40domain.com&code=abc123
What happened
<form action="/customers/confirm?email=email%40domain.com&code=abc123>
Causes form to post double encoded.
$htmlAttributes['action'] = Router::url($options['action'], array('escape' => false));
instead of
$htmlAttributes['action'] = $this->url($options['action']);
(FormHelper L:297) seems to resolve the issue, not sure if any adverse side effects of changing this...
Comments and changes to this ticket
-
Mark Story May 30th, 2011 @ 06:57 PM
- → Tag changed from “formhelper create” to “create, defect, formhelper”
- → Milestone set to “1.3.9”
- → State changed from “new” to “hold”
I'm pretty sure the &'s in url's have to be entity encoded. And the existing tests reflect this, I don't really see the double encoding in the test cases.
-
-
Adam Bartholomew June 23rd, 2011 @ 02:57 PM
After further looking at this you are correct, the action does need to be URL encoded. The issue is that it is in fact double URL encoded (&)
The tests use $this->Form->create() with an option of 'escape' => false. This would mean that the HTML attributes returned are not escaped/encoded. Wouldn't testing for "/controller/action?param1=value1¶m2=value2" be a false positive?
"/controller/action?param1=value1¶m2=value2" should be the tested action attribute when escape = true.
Seems to affect 1.3 as well as 2.0
-
Mark Story June 23rd, 2011 @ 03:31 PM
- → State changed from “hold” to “open”
- → Assigned user set to “Mark Story”
Thanks for following up. It does seem that the attribute is getting double escaped. I'll get that fixed up :)
-
Adam Bartholomew June 23rd, 2011 @ 03:46 PM
I just realized that LH has been trashing my posts and replacing all my encoded &&'s and turning them into &'s making this ticket very difficult to read & understand. Thanks for bearing with me.
-
CakePHP June 23rd, 2011 @ 04:32 PM
- → State changed from “open” to “resolved”
(from [13bcaaf2eb74bff18f90a61f5ce100b5b1dfc998]) Fixing doubly encoded action attributes in FormHelper. Fixes #1748
https://github.com/cakephp/cakephp/commit/13bcaaf2eb74bff18f90a61f5... -
CakePHP June 23rd, 2011 @ 04:33 PM
(from [d6e262da2d1607e69345927b9bb1964671879232]) Fixing form action attributes being double encoded with querystring attributes.
Fixes #1748
https://github.com/cakephp/cakephp/commit/d6e262da2d1607e69345927b9...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Source available from github
Repository is at http://github.com/cakephp/cakephp
Creating a bug report
When creating a bug report, please include as much relevant information as possible. Please include code to reproduce the issue. Or even better, make a unit test. Either change an existing test or add a new test to show that the expected behavior is not occuring.