+- UserSpice (https://userspice.com/forums)
+-- Forum: Support Center (https://userspice.com/forums/forumdisplay.php?fid=23)
+--- Forum: UserSpice 4.3 and Below (https://userspice.com/forums/forumdisplay.php?fid=26)
+--- Thread: verification links not url-encoded (/showthread.php?tid=226)
verification links not url-encoded - plb - 08-25-2016
I added a test user and used the + type of email address (xyz+abc@gmail.com) which allows my xyz@gmail.com address suddenly be multiplied into as many test emails as I want. However, the resulting verification link in the verification email looks like this:
http://localhost/imok/users/verify.php?email=plbowers+foo1@gmail.com&vericode=235269
The plus sign is in there, unencoded and I get an error when I click on it - unsuccessful verification.
When I manually copy/paste the link and edit the + sign to {3bc1fe685386cc4c3ab89a3f76566d8931e181ad17f08aed9ad73b30bf28114d}2b (practically speaking url-encoding it) then it works fine:
http://localhost/imok/users/verify.php?email=plbowers{3bc1fe685386cc4c3ab89a3f76566d8931e181ad17f08aed9ad73b30bf28114d}2bfoo1@gmail.com&vericode=235269
Something dimly rings a bell in the back of my mind that + is a non-standard google extension to valid email address characters, so an argument could be made that this isn't really a bug. I'm guessing with enough persistence and creativity I could come up with another use-case using standard email address characters that do need to be url-encoded. However, for now I'll be willing to agree that this is pretty close to the edge in terms of edge conditions.
verification links not url-encoded - mudmin - 09-08-2016
Thanks for this one too! We're adding it to 4.1.5!
verification links not url-encoded - brian - 09-08-2016
Hi plb, that's a big oversight on our part and should be fixed. Thanks for pointing that one out.
verification links not url-encoded - plb - 09-08-2016
I ran into this on password reset email as well. Don't know if it's too late to get in 4.1.5.