Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escape ampersands in tracker URLs #12731

Merged
merged 1 commit into from Apr 23, 2018
Merged

Escape ampersands in tracker URLs #12731

merged 1 commit into from Apr 23, 2018

Conversation

c960657
Copy link
Contributor

@c960657 c960657 commented Apr 16, 2018

Ampersands needs to be HTML-encoded, even when used in URLs. The generated tracking code for the image tracker does not do this.

Expected

<!-- Matomo Image Tracker-->
<img src="http://example.com/piwik.php?idsite=1&amp;rec=1" style="border:0" alt="" />
<!-- End Matomo -->

Actual

<!-- Matomo Image Tracker-->
<img src="http://example.com/piwik.php?idsite=1&rec=1" style="border:0" alt="" />
<!-- End Matomo -->

@fdellwing
Copy link
Contributor

Source please.

@c960657
Copy link
Contributor Author

c960657 commented Apr 17, 2018

Source please.

I don't understand what you are asking for? The source of what?

@fdellwing
Copy link
Contributor

Any RFC or at least an article with some information why you propagate this change.

@c960657
Copy link
Contributor Author

c960657 commented Apr 17, 2018

The topic is discussed here:
https://stackoverflow.com/questions/3493405/do-i-really-need-to-encode-as-amp
https://www.w3.org/TR/html52/introduction.html#example-4c330288 (example 8)

Long answer: It's complicated.
Short answer: Always encode ampersand in HTML attribute values, even though it is not required in all cases.

@fdellwing
Copy link
Contributor

Thanks for the links. The second one clearly states, that you don't need to escape it if the following string is not a named character reference. But as it should not break anything, I approve this.

@c960657
Copy link
Contributor Author

c960657 commented Apr 17, 2018

True, but we cannot assume that the parameters provided by plugins using the SitesManager.getImageTrackingCode event are not accidentally HTML character reference names.

@mattab mattab merged commit cde2b27 into matomo-org:3.x-dev Apr 23, 2018
@mattab
Copy link
Member

mattab commented Apr 23, 2018

Thank you for the PR @c960657 👍 and congrats on getting your first PR merged!

InfinityVoid pushed a commit to InfinityVoid/matomo that referenced this pull request Oct 11, 2018
@c960657 @InfinityVoid
Escape ampersands in URLs (matomo-org#12731)
61cbf71
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@c960657 @fdellwing @mattab