Page MenuHomePhabricator
Create Task
Maniphest T17564

Input box does not generate correct URL containing ampersand
Closed, ResolvedPublic
Actions

Description

Author: RLUllmann

Description:
If the page title contains an ampersand, Inputbox generates the edit url with %26amp%3B instead of just %26, usually resulting in a server error; but has been reported as generating the page title truncated at the ampersand.

E.g. on en.wikt, enter foo&bar and "Go", then pick the "Noun" button; generated URL contains &title=foo%26amp%3Bbar :

go to http://en.wiktionary.org/w/index.php?title=Special:Search&search=foo%26bar
press "Noun"

I have not tested other things that might be escaped in a URL or other cases, code needs looking at.

Version: unspecified
Severity: normal

Details

Reference
bz15564

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:18 PM
bzimport added a project: MediaWiki-extensions-InputBox.
bzimport set Reference to bz15564.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Sep 11 2008, 3:43 PM
Umherirrender added a comment.Mar 20 2009, 5:50 PM

should works with #tag:

{{#tag:inputbox|
type=create
editintro=Template:new_en_noun_intro
preload=Template:new_en_noun
default=$1
break=no
width=1
hidden=true
buttonlabel=Noun
}}

MarkAHershberger added a comment.Jun 14 2011, 12:22 AM

unassigned Trevor from Inputbox extension.

brion added a comment.Sep 23 2011, 12:02 AM

(In reply to comment #1)

should works with #tag:

Actually that doesn't seem to do any different.

Hmm...

The parameter with the search term on the searchmenu-new message in Special:Search is escaped ahead of time so that it won't trigger wiki syntax in the output: eg a title containing "''" shouldn't trigger italics.

So the inputbox's parameters contain "default=foo&bar" (or on 1.18/trunk, "default=foo&bar" which fails in a similar but slightly different way).

Inputbox dutifully accepts that and sticks it in the value of its (hidden) input element -- of course escaping all of its output so the & and whatnot are preserved across the form submission.

Possibly inputbox should do normalization on the input to pre-convert any character references... though of course if anybody is *deliberately* putting character references into the inputbox input values they'd need to update to double-escape.

bzimport added a comment.Oct 25 2011, 12:15 AM

mcdevitd wrote:

Marking as duplicate of bug 29066, with a more general name, since ampersands are not the only problematic characters.

*** This bug has been marked as a duplicate of bug 29066 ***

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL