-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Field flow: Keep URL params matching HTML attributes #2407
Field flow: Keep URL params matching HTML attributes #2407
Conversation
Pre-approved upon successful review. |
0c4a4fb
to
770559d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To review and fully test.
This is a patch.
00c6715
to
28b6da8
Compare
FWIW I retested locally with @duboisp's suggested change and it still worked fine 💯. |
Pre-approved upon review and local testing. |
When field flow's redirect (redir) action is used, submitting causes the plugin to "transform" the currently-selected dropdown option's URL parameters into hidden input elements. The inputs are created by passing "raw" HTML strings to the jQuery object. That setup used to play nicely with URL parameters whose keys corresponded to the names of HTML attributes (e.g. lang=anything). But it stopped working when wet-boew/wet-boew#9210 introduced DOMPurify into WET's jQuery 2.x implementation. Why? Because DOMPurify's sanitize() method filters-out name="[any HTML attribute name]" to prevent potential DOM clobbering attacks (see cure53/DOMPurify#980). End result is that jQuery ultimately returns name-less inputs to the plugin, which in turn causes affected parameters to go missing. This fixes it by using "pure" JavaScript (instead of jQuery) to create the inputs. Also adds a query string example to the redirection demo (with a mix of key naming schemes). Fixes wet-boew#2406. Co-authored-by: Pierre Dubois <[email protected]>
28b6da8
to
734faf9
Compare
Rebased, updated modified dates and force-pushed. This wasn't running into any merge conflicts, but since it hadn't been tested by any project maintainers yet... I figured it'd make sense to rebase to make it node 20-friendly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested locally. Works as intended.
Thank you all for your contribution! |
When field flow's redirect (
redir
) action is used, submitting causes the plugin to "transform" the currently-selected dropdownoption
's URL parameters into hiddeninput
elements. Theinput
s are created by passing "raw" HTML strings to the jQuery object.That setup used to play nicely with URL parameters whose keys corresponded to the names of HTML attributes (e.g.
lang=anything
). But it stopped working when wet-boew/wet-boew#9210 introduced DOMPurify into WET's jQuery 2.x implementation. Why? Because DOMPurify'ssanitize()
method filters-outname="[any HTML attribute name]"
to prevent potential DOM clobbering attacks (see cure53/DOMPurify#980). End result is that jQuery ultimately returnsname
-lessinput
s to the plugin, which in turn causes affected parameters to go missing.This fixes it by using "pure" JavaScript (instead of jQuery) to create the
input
s. Also adds a query string example to the redirection demo (with a mix of key naming schemes).Fixes #2406.