-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix conversion of forms with relative action URLs #4003
Conversation
$action_url = '//' . $_SERVER['HTTP_HOST'] . wp_unslash( $_SERVER['REQUEST_URI'] ) . $action_url; | ||
} elseif ( '.' === $action_url[0] ) { | ||
// For actions consisting of relative paths (e.g. '../'), prepend the schemeless-host and a trailing-slashed REQUEST URI. | ||
$action_url = '//' . $_SERVER['HTTP_HOST'] . trailingslashit( wp_unslash( $_SERVER['REQUEST_URI'] ) ) . $action_url; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think the trailing slash should always be added. Taking the action .foo
for example, depending on the server configuration .foo
could be a file while .foo/
could be a directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct, but the trailing slash is being added after the path in order to append the relative segment. For example, if the user is currently on /about/team
and there is a form that has an action of ../
the resulting action
URL path needs to be /about/team/../
not /about/team../
. Does that make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, thanks for the clarification.
Co-Authored-By: Pierre Gordon <16200219+pierlon@users.noreply.github.com>
* Fix conversion of forms with relative action URLs * Re-use schemeless-host variable Co-Authored-By: Pierre Gordon <16200219+pierlon@users.noreply.github.com> Co-authored-by: Pierre Gordon <16200219+pierlon@users.noreply.github.com>
Testing instructions:
|
if ( '?' === $action_url[0] || '#' === $action_url[0] ) { | ||
// For actions consisting of only a query or URL fragment, include the schemeless-host and the REQUEST URI of the current page. | ||
$action_url = $schemeless_host . wp_unslash( $_SERVER['REQUEST_URI'] ) . $action_url; | ||
} elseif ( '.' === $action_url[0] ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: the '.'
check was not correct here. See #4250 (review)
* tag '1.4.3': (22 commits) Update readme and screenshots for Stories removal (#4259) Open story export instructions in a new window (#4258) Bump version to 1.4.3-RC1 Hide Stories options and add deprecation notice (#4219) Fix malformed conversion of relative action URLs for forms (#4250) Limit Stories experience to WP 5.3 & Gutenberg 7.1.0 (#4217) Prevent errors in admin bar filters from non-array arguments (#4207) Update @wordpress/e2e-test-utils dependency Revert update of mustache/mustache dependency Update composer.lock Update WP CLI to 2.4.0 For WordPress.tv embed, Use an oembed filter instead of block filter (#4164) Update readme to add FAQs section (#4159) Apply workaround to fix test__multiple_valid_image_files (#4034) Ignore Story editor tests (#4043) Update amp-video embed regex pattern to include other Vimeo URL formats (#4051) Update amp-instagram embed regex (#4053) Update wp-dev-lib package (#4029) Fix conversion of forms with relative action URLs (#4003) Improve release instructions (#3995) ...
Summary
The subscription
form
in Jetpack uses anaction
of#
:When the form is being displayed on a URL like
https://example.org/about/
it is getting converted by the form sanitizer as:This is wrong. It should instead be:
This PR fixes the sanitization of
action
attribute containing values such as:../
?foo=bar
#foo
Issue discovered in a WordPress.org support topic.
Checklist