magento-lts icon indicating copy to clipboard operation
magento-lts copied to clipboard

Published 20 hours ago verified publisher icon OpenMage

Twice URL escaped when changing the sorting

Open abdel-aouby opened this issue 3 years ago • 4 comments

Preconditions (*)

  1. Tested on live sandbox : https://www.softaculous.com/demos/Magento_1.9
  2. Confirmed in last openMage magento-lts version

Steps to reproduce (*)

  1. Search some string with none latine letter (e.g: Šaty OR zesilovač) image

  2. Change the sorting image

  3. the result is broken image

Expected result (*)

  1. image

Actual result (*)

  1. image

Possibly the problem is happening here: js/varien/js.js:31

abdel-aouby avatar May 28 '21 16:05 abdel-aouby

I confirm this bug related to special characters.

Let's take as example oléorésine which is a French word and observe the URL in browser address and the search box content.

By filling up the word in the search box then clicking on [Search] button the results are:

  • Search box: oléorésine
  • URL in browser address: /catalogsearch/result/?q=oléorésine

Now changing the Sort By from "Relevance" to any values like "Price" or "Name" the results are:

  • Search box: ol%C3%A9or%C3%A9sine
  • URL in browser address: /catalogsearch/result/index/?dir=asc&order=name&q=ol%25C3%25A9or%25C3%25A9sine

By using the sort feature é character becomes %25C3%25A9. Obviously the search result is that no products were found.

Let's take a look at the source code of the page after the initial search. Here is the select tag responsible for Sort action:

<select onchange="setLocation(this.value)" title="Sort By">
  <option value="https://www.mydomain.tld/catalogsearch/result/index/?dir=asc&amp;order=relevance&amp;q=ol%C3%A9or%C3%A9sine" selected="selected">Relevance</option>
  <option value="https://www.mydomain.tld/catalogsearch/result/index/?dir=asc&amp;order=name&amp;q=ol%C3%A9or%C3%A9sine">Name</option>
  <option value="https://www.mydomain.tld/catalogsearch/result/index/?dir=asc&amp;order=price&amp;q=ol%C3%A9or%C3%A9sine">Price</option>
</select>

As you can see these links are built encoded which is just fine in my opinion.

addison74 avatar May 28 '21 21:05 addison74

I also can confirm this double encoding problem in js/varien/js.js (setLocation). Is there any functional or security implication with the following change?

Replace

function setLocation(url){
    window.location.href = encodeURI(url);
}

with

function setLocation(url){
    window.location.href = encodeURI(decodeURI(url));
}

It seems to work for German and basic cases but I'm not sure about other languages and special cases and security implications.

jfksk avatar May 29 '21 23:05 jfksk

I confirm @jfksk solution is solving this issue for the French word oléorésine. In browser address the URL is not encoded but URL's for Sort By and Pagination are. By changing the values in Sort By list it works as expected , also the sort directions and paginations.

I don't know what security implications could have this combination encode(decode) which seems to cancel each other out. I will try finding some articles on Internet. Here is one https://www.geeksforgeeks.org/javascript-encodeuri-decodeuri-and-its-components-functions/

addison74 avatar May 30 '21 07:05 addison74

Seems that the escape inside setLocation was added as reaction to some forgot escape in some template. Would be hard to find it.

midlan avatar Sep 06 '21 12:09 midlan

I was looking at this issue and I did find some instances where an unescaped URL is passed to setLocation (hence why it's being encoded inside). Now the question is should we remove decodeURI and make sure that all URLs passed to setLocation are escaped, but that might be a problem for 3rd party extensions

elidrissidev avatar Oct 02 '22 09:10 elidrissidev

Duplicate of #1114

sreichel avatar Jan 19 '23 04:01 sreichel