[rt-users] URL double encoding from the custom field value

Kevin Falcone falcone at bestpractical.com
Tue Feb 18 13:36:53 EST 2014


On Fri, Feb 14, 2014 at 12:56:49PM -0500, Dalal, Kamber Z wrote:
>    My Custom Field value is:
> 
>    srch=abcd&earliest=klmtime&latest=xyztime
> 
>    In the Custom Field definition link value to is set as:
> 
>    http://myweb.domain.com/__CustomField__
> 
>    The URL being generated is
>    http://myweb.domain.com/srch%3Dabcd%26earliest%3Dklmtime%26latest%3Dxyztime
> 
>    Instead of what should be:
> 
>    http://myweb.domain.com/srch=abcd&earliest=klmtime&latest=xyztime

Thanks - with better data I can now see what's happening.

RT makes a number of checks on the Custom Field content to protect
your users.  Since Custom Fields could contain data from a malicious
user, we try to detect and avoid javascript and data URIs and block
them, and we URI Escape all user inputted data before generating the
link.

The relevant method is in ObjectCustomFieldValue.pm called
_FillInTemplateURL and you can see that it has configuration:

CustomField => { value => sub { $_[0]->Content }, escape => 1 },

You would need to define an ObjectCustomFieldValue_Local.pm to redefine
that method and avoid escaping on that one CF value unfortunately.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140218/ea380842/attachment.sig>


More information about the rt-users mailing list