Fix malformed conversion of relative action URLs for forms#4250
Merged
westonruter merged 7 commits intodevelopfrom Feb 9, 2020
Merged
Fix malformed conversion of relative action URLs for forms#4250westonruter merged 7 commits intodevelopfrom
westonruter merged 7 commits intodevelopfrom
Conversation
westonruter
requested changes
Feb 7, 2020
| } else { | ||
| // Otherwise, when the action URL includes an absolute path, just append it to the schemeless-host. | ||
| $action_url = $schemeless_host . $action_url; | ||
| $parsed_url = wp_parse_url( $action_url ); |
Member
There was a problem hiding this comment.
This conditional is getting big. Please move it into a helper method as I've done in #4212. This will make the condition needing less nesting, as you can just return at more points.
| // Ignore a malformed URL - it will be later sanitized. | ||
| if ( false !== $parsed_url ) { | ||
| // Handle relative URLs. | ||
| if ( ! isset( $parsed_url['scheme'] ) || 'https' !== $parsed_url['scheme'] ) { |
Member
There was a problem hiding this comment.
Why the 'https' !== $parsed_url['scheme'] condition here?
Contributor
Author
There was a problem hiding this comment.
To ignore URLs with the https scheme, otherwise it becomes schemeless which is unnecessary.
I've updated the comment there to reflect this:
Member
Contributor
Author
There was a problem hiding this comment.
Thanks! And its more readable 👍 .
Comment on lines
+82
to
+88
| if ( ! isset( $parsed_url['path'] ) ) { | ||
| // If there is action URL path, use the one from the request. | ||
| $parsed_url['path'] = trailingslashit( wp_unslash( $_SERVER['REQUEST_URI'] ) ); | ||
| } elseif ( '' !== $parsed_url['path'] && '/' !== $parsed_url['path'][0] ) { | ||
| // If the path is relative, append it to the current request path. | ||
| $parsed_url['path'] = trailingslashit( wp_unslash( $_SERVER['REQUEST_URI'] ) ) . trailingslashit( $parsed_url['path'] ); | ||
| } |
Member
There was a problem hiding this comment.
If no path is supplied and yet the host is present, then the path should assume to be empty. The current REQUEST_URI should not be supplied. I added a failing test case to show the proper behavior: f27f5a2.
westonruter
reviewed
Feb 8, 2020
| if ( '?' === $action_url[0] || '#' === $action_url[0] ) { | ||
| // For actions consisting of only a query or URL fragment, include the schemeless-host and the REQUEST URI of the current page. | ||
| $action_url = $schemeless_host . wp_unslash( $_SERVER['REQUEST_URI'] ) . $action_url; | ||
| } elseif ( '.' === $action_url[0] ) { |
Member
There was a problem hiding this comment.
In your changes, you correctly changed the '.' === $action_url[0] to '/' !== $action_url[0]. This I believe fixes the case where there is an action URL like foo/ as opposed to ../. I added a test to confirm this: 585be89.
westonruter
approved these changes
Feb 8, 2020
westonruter
added a commit
that referenced
this pull request
Feb 9, 2020
* Fix malformed conversion of relative action URLs for forms * Simplify URL reconstruction by eliminating ternary expressions * Add failing case for pathless URL * Refactor determining action url to separate function * Set an empty path if none is defined but there is a host * Short-circuit when get_action_url has nothing to do * Add test for dotless relative path action URL Co-authored-by: Weston Ruter <westonruter@google.com>
3 tasks
westonruter
added a commit
that referenced
this pull request
Feb 13, 2020
* tag '1.4.3': (22 commits) Update readme and screenshots for Stories removal (#4259) Open story export instructions in a new window (#4258) Bump version to 1.4.3-RC1 Hide Stories options and add deprecation notice (#4219) Fix malformed conversion of relative action URLs for forms (#4250) Limit Stories experience to WP 5.3 & Gutenberg 7.1.0 (#4217) Prevent errors in admin bar filters from non-array arguments (#4207) Update @wordpress/e2e-test-utils dependency Revert update of mustache/mustache dependency Update composer.lock Update WP CLI to 2.4.0 For WordPress.tv embed, Use an oembed filter instead of block filter (#4164) Update readme to add FAQs section (#4159) Apply workaround to fix test__multiple_valid_image_files (#4034) Ignore Story editor tests (#4043) Update amp-video embed regex pattern to include other Vimeo URL formats (#4051) Update amp-instagram embed regex (#4053) Update wp-dev-lib package (#4029) Fix conversion of forms with relative action URLs (#4003) Improve release instructions (#3995) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #4208.
Checklist