Fixed htmlspecialchars corrupts avatar URLs

Affected version
1.5.21

Zenexer

Active member
Searching for a user results in a dropdown in several places (/members/, @-tags, /admin.php?users/). This results in a JSON response, in the form:
Code:
{
    "results": [
        {
           "avatar": "...",
           "username": "..."
        },
        ...
    ]
}
Both the avatar and username fields are escaped with htmlspecialchars; for the former, this occurs in the helperAvatarUrl method. However, when the URL is set for the avatar image in JavaScript, the URL is taken verbatim, so the entities are never decoded by the browser. This results in invalid URLs, particularly for Gravatar if more than one querystring parameter is set, which occurs under normal circumstances.
 

Chris D

XenForo developer
Staff member
I've not noticed any such issues over the years in XF1 so we'll need a more detailed reproduction case.
 

Zenexer

Active member
@Chris D
  1. Use Chrome.
  2. Go to admin.php?users/
  3. Open Chrome DevTools.
  4. Switch to Sources tab in DevTools. Make sure it stays visible on the screen as you perform the following steps.
  5. On admin.php?users/, search for a user that is currently using Gravatar.
  6. Wait for the search suggestion popup to appear with the username and avatar.
  7. Without making any intermediate clicks, click the script pause button in DevTools. This will prevent the suggestion popup from disappearing.
  8. Inspect the small avatar in the popup for the user that is using Gravatar.
  9. Right-click on the <img> tag in DevTools and click Edit as HTML.
  10. Notice that the src attribute is double-escaped:
HTML:
<img class="autoCompleteAvatar" src="https://secure.gravatar.com/avatar/0ad778847b195829b65dddccdf328a14?s=48&amp;amp;d=https%3A%2F%2Fdev.namepros.com%2Fstyles%2Fdefault%2Fxenforo%2Favatars%2Favatar_s.png">
The resulting URL: https://secure.gravatar.com/avatar/0ad778847b195829b65dddccdf328a14?s=48&amp;d=https://dev.namepros.com/styles/default/xenforo/avatars/avatar_s.png

Gravatar actually treats semicolons as querystring parameter delimiters. It sees three parameters:
  1. s=48
  2. amp
  3. d=https://dev.namepros.com/styles/default/xenforo/avatars/avatar_s.png
We can test this by replacing all ampersands with semicolons in a valid URL:
https://secure.gravatar.com/avatar/0ad778847b195829b65dddccdf328a14?s=48;d=https://dev.namepros.com/styles/default/xenforo/avatars/avatar_s.png

This isn't guaranteed to work forever; it could break at any time. Additionally, it makes it difficult for add-ons to support third-party avatar services, or, in our case, to proxy Gravatar URLs through proxy.php. (Normally, Gravatar URLs aren't proxied.)
 

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue. The issue is now resolved and we are aiming to include that in a future XF release (1.5.23).

Change log:
Remove unexpected HTML encoding in avatar URLs displayed in auto complete results
Any changes made as a result of this issue being resolved may not be rolled out here until later.
 
Top