#17 ✓resolved
Kieran P

Link URL's w/ Ampersands rendered invalid

Reported by Kieran P | July 30th, 2008 @ 04:29 PM | in 1.1

atz writes:

There are two ways to enter links. If the link is the topic, entered via the dedicated input slot, kete seems to handle valid URLs.

However, if the link is just part of the topic content, entered via the text editor, then it is rendered invalid because it is escaped twice.

For example:




The text displayed would be the correct link if copied/pasted in the browser. The link href itself is bogus though. Note the telltale “&”.

Comments and changes to this ticket

  • Kieran P

    Kieran P July 30th, 2008 @ 04:29 PM

    walter writes:


    Could you clarify if you are using the link tool (chain icon button) in rich text editor or using the HTML button?

    Also, to isolate this further, could you try turning off javascript and editing the HTML in the description field directly without the use of the rich text editor and let me know what happens, please?



  • Kieran P

    Kieran P July 30th, 2008 @ 04:30 PM

    atz writes:

    I believe I was using the “chain icon” link button. It should be trivial to duplicate the results above. I don’t have the opportunity to test w/o js at this moment.

  • Kieran P

    Kieran P July 30th, 2008 @ 04:31 PM

    james writes:

    As part of improving the XHTML output from Kete, I have fixed an issue where the URL for a web link item was not escaped properly; characters such as ampersands were not escaped in the resulting in HTML, rendering it invalid. This may resolve at least part of this ticket.


  • Kieran P

    Kieran P July 30th, 2008 @ 04:31 PM

    During the creation/edit of descriptions of links which contain ampersands (the only case I can find that this happens too), seems to be escaped twice, once from TinyMCE when you submit, and another time from acts_as_sanitized (specifically, traced back to vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitized.rb, line 163) when it is about to go into the database.

    Now because we can’t simply take out this functionality (would break the sanitizer completely), and we can’t open up TinyMCE to remove its escaping (the bug actually lies with the sanitizer in Rails escaping the ampersand of an already escaped ampersand), from what I can see, there is only two options (please share if you think of another way).


    (quick, effective and only minutly buggy *)

    Open up the process_attributes_for function, and change the line

    node.attributes[attr_name] = attr_name 'style' ? sanitize_css(value) : CGI::escapeHTML(value) to node.attributes[attr_name] = if attr_name ‘style’


    elsif attr_name == ‘a’

    value.gsub(/</, ’<’).gsub(/>/, ’<’) # CGI::escapeHTML also escapes & repeatedly, we dont want this





    (longer but less buggy *)

    In the form, submit a value that is set depending on the status of Javascript, i.e put a hidden text field “fields_using_tinymce” on forms using tinymce with the value of description if javascript is on, else default empty. Then we have to overwrite the method in sanitized.rb to check if the current field it is escaping is in the list of tinymce fields. If it is, assumed the field is escaped by TinyMCE and leave it, otherwise assume its not a tinymce field and continue to escape.

    • buggy = when a field is submitted with a link when TinyMCE is off, the link wont be escaped at all. Not that big of a deal, especially since another bug which we can’t fix means when they edit that link, it’ll get double escaped.
  • Kieran P

    Kieran P July 30th, 2008 @ 04:31 PM

    Looks like formatting in that post didn’t come out as well as it should have. Not to worry. A simpler, smaller fix was found. Unescape before you escape.

    See the following ticket:


  • Kieran P

    Kieran P July 30th, 2008 @ 04:39 PM

    • State changed from “new” to “resolved”

    A fix has been applied via an initializer in Kete. It resolves this issue.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Kete was developed by Horowhenua Library Trust and Katipo Communications Ltd. to build a digital library of Horowhenua material.

People watching this ticket