php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76664 Regression in URL rewrite when JavaScript href?
Submitted: 2018-07-25 16:56 UTC Modified: 2020-09-15 14:49 UTC
Votes:3
Avg. Score:2.0 ± 1.4
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:0 (0.0%)
From: nicolas dot dermine at gmail dot com Assigned:
Status: Verified Package: Output Control
PHP Version: 7.2.8 OS: linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nicolas dot dermine at gmail dot com
New email:
PHP Version: OS:

 

 [2018-07-25 16:56 UTC] nicolas dot dermine at gmail dot com 
Description:
------------
We output some HTML markup inside a json_encoded string, with double quotes replaced by `\u0022` (with the `JSON_HEX_QUOT` flag)

the HTML markup contains a `<a href="javascript:...>` link

which becomes `<a href=\u0022javascript:...>` when json_encoded

we also use `output_add_rewrite_var`, and had no problem when using PHP 5.6 or PHP 7.0
(i.e .the parameter was not added, since this a JavaScript call, not a URL),

but it seems since PHP 7.1.0 the URL parameter is added just before the first argument of the JavaScript function in the `href` attribute, resulting in a JavaScript error when it is clicked.



Test script:
---------------
<?php
// tried this on https://3v4l.org/fmRvE

output_add_rewrite_var('param_name', 'param_value');
ini_set('url_rewriter.tags', 'a=href');
echo '"<a href=\\u0022javascript:someFunc(\'some arg\')\\u0022>link 2</a>"';

Expected result:
----------------
Output for 5.6.30, 7.0.30 - 7.0.31
"<a href=\u0022javascript:someFunc('some arg')\u0022>link 2</a>"

Actual result:
--------------
Output for 7.1.0 - 7.3.0alpha4
"<a href=\u0022javascript:someFunc(?param_name=param_value'some arg')\u0022>link 2</a>"



(the added `?param_name=param_value` after the opening parenthesis causes a JavaScript error when the link is clicked.)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-26 08:49 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-09-15 14:44 UTC] cmb@php.net 
This is conceptionally tricky.  The issue isn't the javascript:
URL, but rather that the URL rewriter does not expect EcmaScript
Unicode escape characters.  If these are present, that can cause
all kinds of misbehavior, e.g.

    "<a href=\\u0022ftp://example.com\\u0022>link 2</a>"

will also be rewritten, even though ftp:// URLs are not supposed
to.

Not sure how to address this.
 [2020-09-15 14:49 UTC] cmb@php.net 
Regarding the regression as of PHP 7.1.0: formerly, the URL
parsing was more sloppy, so the \u0022 have basically just been
ignored.  As of PHP 7.1.0, the URL is actually parsed
(php_url_parse_ex()), and since the \u0022 are considered part of
the URL, the URL parser is confused; see <https://3v4l.org/7PMeQ>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 22:01:28 2024 UTC