Fix conversion of forms with relative action URLs#4003
Conversation
| $action_url = '//' . $_SERVER['HTTP_HOST'] . wp_unslash( $_SERVER['REQUEST_URI'] ) . $action_url; | ||
| } elseif ( '.' === $action_url[0] ) { | ||
| // For actions consisting of relative paths (e.g. '../'), prepend the schemeless-host and a trailing-slashed REQUEST URI. | ||
| $action_url = '//' . $_SERVER['HTTP_HOST'] . trailingslashit( wp_unslash( $_SERVER['REQUEST_URI'] ) ) . $action_url; |
There was a problem hiding this comment.
I don't think the trailing slash should always be added. Taking the action .foo for example, depending on the server configuration .foo could be a file while .foo/ could be a directory.
There was a problem hiding this comment.
Correct, but the trailing slash is being added after the path in order to append the relative segment. For example, if the user is currently on /about/team and there is a form that has an action of ../ the resulting action URL path needs to be /about/team/../ not /about/team../. Does that make sense?
There was a problem hiding this comment.
Yes, thanks for the clarification.
Co-Authored-By: Pierre Gordon <16200219+pierlon@users.noreply.github.com>
* Fix conversion of forms with relative action URLs * Re-use schemeless-host variable Co-Authored-By: Pierre Gordon <16200219+pierlon@users.noreply.github.com> Co-authored-by: Pierre Gordon <16200219+pierlon@users.noreply.github.com>
|
Testing instructions:
|
|
Verified in QA
|
| if ( '?' === $action_url[0] || '#' === $action_url[0] ) { | ||
| // For actions consisting of only a query or URL fragment, include the schemeless-host and the REQUEST URI of the current page. | ||
| $action_url = $schemeless_host . wp_unslash( $_SERVER['REQUEST_URI'] ) . $action_url; | ||
| } elseif ( '.' === $action_url[0] ) { |
There was a problem hiding this comment.
Note: the '.' check was not correct here. See #4250 (review)
* tag '1.4.3': (22 commits) Update readme and screenshots for Stories removal (#4259) Open story export instructions in a new window (#4258) Bump version to 1.4.3-RC1 Hide Stories options and add deprecation notice (#4219) Fix malformed conversion of relative action URLs for forms (#4250) Limit Stories experience to WP 5.3 & Gutenberg 7.1.0 (#4217) Prevent errors in admin bar filters from non-array arguments (#4207) Update @wordpress/e2e-test-utils dependency Revert update of mustache/mustache dependency Update composer.lock Update WP CLI to 2.4.0 For WordPress.tv embed, Use an oembed filter instead of block filter (#4164) Update readme to add FAQs section (#4159) Apply workaround to fix test__multiple_valid_image_files (#4034) Ignore Story editor tests (#4043) Update amp-video embed regex pattern to include other Vimeo URL formats (#4051) Update amp-instagram embed regex (#4053) Update wp-dev-lib package (#4029) Fix conversion of forms with relative action URLs (#4003) Improve release instructions (#3995) ...
Summary
The subscription
formin Jetpack uses anactionof#:When the form is being displayed on a URL like
https://example.org/about/it is getting converted by the form sanitizer as:This is wrong. It should instead be:
This PR fixes the sanitization of
actionattribute containing values such as:../?foo=bar#fooIssue discovered in a WordPress.org support topic.
Checklist