Jump to content

Get variable in default theme not escaped correctly


Recommended Posts

Hi,

 

I've been customizing the default theme and noticed an issue whereby the get variable 'back' is not encoded correctly.

 

For example in authentication.tpl the following line is used:

                <form action="{$link->getPageLink('authentication', true, NULL, "back=$back")|escape:'html':'UTF-8'}" method="post" id="new_account_form" class="std clearfix">
 

This results in ampersands in the $back variable being escaped to & whereas they should be escaped to %26.

 

I have fixed this by added the following line prior to the <form action.... line:

                {assign var='back' value={$back|escape:'url':'UTF-8'[spam-filter]

 

This encodes the $back variable correctly.

 

In reality the get variables should probably be encoded independently of the URL in all instances across prestashop. I've never used Smarty so I'm not sure how to do it inline.

 

Hope this helps someone. Please consider fixing this in the next release.

 

User2

  • Like 1
Link to comment
Share on other sites

  • 11 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...