fix(iframe-common.js): properly encode referrerPageUrl param #1152
Conversation
Currently, referrerPageUrl is added as a query param value without being escaped. That can cause problems on sites with tighter security restrictions. We faced this problem on several sites such as this one: https://yexttest.atlassian.net/browse/PC-208916 It can also cause functional problems when the referrer URL has query parameters. For example, a URL of http://example.com?a=1&b=2 will lead to https://answers.example.com?query=TEST&referrerPageUrl=http://example.com?a=1&b=2 In that example, &b=2 will be treated as a query parameter of the results page URL instead of being part of the referrerPageUrl value.
|
Can you change the base of this PR to the hotfix/v1.33.2 branch? Otherwise LGTM! |
Done. There are still a couple automated tests failing. Is that expected? |
We can ignore all of the browserstack and percy tests because we don't use those services anymore. The headless acceptance tests are still used, however those test seem to behave very unpredictably based on the last few commits in master. I re-ran the headless acceptance tests to see if any more pass |
Still failed. Should we ignore that too? |
Only one test failed this time instead of eight, which is the same as the master branch which suggests that the issue isn't due to this change. So we can ignore that failing test |
Currently, referrerPageUrl is added as a query param value without being escaped. That can cause problems on sites with tighter security restrictions. We faced this problem on several sites such as this one: https://yexttest.atlassian.net/browse/PC-208916
It can also cause functional problems when the referrer URL has query parameters. For example, a URL of http://example.com?a=1&b=2 will lead to https://answers.example.com?query=TEST&referrerPageUrl=http://example.com?a=1&b=2
In that example, &b=2 will be treated as a query parameter of the results page URL instead of being part of the referrerPageUrl value.