diff --git a/core/Tracker/PageUrl.php b/core/Tracker/PageUrl.php
index bbd98882cdd1667c769485ba54c8ac92976bf7e7..9f956c5196279ea6c961e68d622ae5a16a4e10bb 100644
--- a/core/Tracker/PageUrl.php
+++ b/core/Tracker/PageUrl.php
@@ -38,7 +38,7 @@ class PageUrl
* @static
* @param $originalUrl
* @param $idSite
- * @return bool|string
+ * @return bool|string Returned URL is HTML entities decoded
*/
public static function excludeQueryParametersFromUrl($originalUrl, $idSite)
{
diff --git a/core/Tracker/TableLogAction.php b/core/Tracker/TableLogAction.php
index fe620035d7207bf3e4a9ce02554d913b4bb00c24..653c7f8407977db4c514e642f398290048c90d13 100644
--- a/core/Tracker/TableLogAction.php
+++ b/core/Tracker/TableLogAction.php
@@ -235,7 +235,7 @@ class TableLogAction
/**
* This function will sanitize or not if it's needed for the specified action type
*
- * URLs (Page URLs, Downloads, Outlinks) are stored raw (unsanitized)
+ * URLs (Download URL, Outlink URL) are stored raw (unsanitized)
* while other action types are stored Sanitized
*
* @param $actionType
@@ -246,26 +246,25 @@ class TableLogAction
{
$actionString = Common::unsanitizeInputValue($actionString);
- if (self::isActionTypeStoredSanitized($actionType)) {
- return Common::sanitizeInputValue($actionString);
+ if (self::isActionTypeStoredUnsanitized($actionType)) {
+ return $actionString;
}
- return $actionString;
+
+ return Common::sanitizeInputValue($actionString);
}
/**
* @param $actionType
* @return bool
*/
- private static function isActionTypeStoredSanitized($actionType)
+ private static function isActionTypeStoredUnsanitized($actionType)
{
$actionsTypesStoredUnsanitized = array(
- $actionType == Action::TYPE_PAGE_URL,
$actionType == Action::TYPE_DOWNLOAD,
$actionType == Action::TYPE_OUTLINK,
);
- $isStoredUnsanitized = in_array($actionType, $actionsTypesStoredUnsanitized);
- return !$isStoredUnsanitized;
+ return in_array($actionType, $actionsTypesStoredUnsanitized);
}
}
diff --git a/plugins/Live/templates/_actionsList.twig b/plugins/Live/templates/_actionsList.twig
index a2bce2ab9a3cdf8da3171986dc679333a782bc8d..132321bb1a1bdb8946b4013d8223b75a5eb2a3a6 100644
--- a/plugins/Live/templates/_actionsList.twig
+++ b/plugins/Live/templates/_actionsList.twig
@@ -101,7 +101,7 @@
and previousAction.url|default(false) == action.url %}
{# For events, do not show (url) if the Event URL is the same as the URL last displayed #}
{% else %}
- <a href="{{ action.url }}" rel="noreferrer" target="_blank" rel="noreferrer" class="{% if action.eventCategory|default(false) is empty %}action-list-url{# don't put URL on new line for events #}{% endif %} truncated-text-line"
+ <a href="{{ action.url }}" rel="noreferrer" target="_blank" class="{% if action.eventCategory|default(false) is empty %}action-list-url{# don't put URL on new line for events #}{% endif %} truncated-text-line"
{% if overrideLinkStyle is not defined or overrideLinkStyle %}style="{% if action.type=='action' and action.pageTitle|default(false) is not empty %}margin-left: 9px;{% endif %}text-decoration:underline;"{% endif %}>
{% if action.eventCategory|default(false) is not empty %}
(url)
diff --git a/tests/PHPUnit/Fixtures/TwoVisitsNoKeywordWithBot.php b/tests/PHPUnit/Fixtures/TwoVisitsNoKeywordWithBot.php
index 86c144f8c1a71cd532a344c512b18e39bec8d8c0..ac1dfc42363dd75ed793957cb9ac3b5cf450ff1c 100644
--- a/tests/PHPUnit/Fixtures/TwoVisitsNoKeywordWithBot.php
+++ b/tests/PHPUnit/Fixtures/TwoVisitsNoKeywordWithBot.php
@@ -53,8 +53,10 @@ class TwoVisitsNoKeywordWithBot extends Fixture
// VISIT 1 = Referrer is "Keyword not defined"
// Alsotrigger goal to check that attribution goes to this keyword
$t->setUrlReferrer('http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CC&url=http%3A%2F%2Fpiwik.org%2F&ei=&usg=');
- $t->setUrl('http://example.org/this%20is%20cool!');
- self::checkResponse($t->doTrackPageView('incredible title!'));
+
+ $t->setUrl('http://example.org/this%20is%20cool!?filter=<script>alert(1);</script>{"place":{"place":"0c5b2444-70a0-4932-980c-b4dc0d3f02b5"}}');
+ self::checkResponse($t->doTrackPageView('incredible title! (Page URL contains a HTML entity)'));
+
$idGoal = 1;
if (!self::goalExists($idSite, $idGoal)) {
$idGoal = API::getInstance()->addGoal($idSite, 'triggered js', 'manually', '', '');
diff --git a/tests/PHPUnit/System/expected/test_OneVisitor_NoKeywordSpecified__Live.getLastVisitsDetails_day.xml b/tests/PHPUnit/System/expected/test_OneVisitor_NoKeywordSpecified__Live.getLastVisitsDetails_day.xml
index 90a05a12b621ae93a29909cdf4d37d1f622249c9..011146eed057c4c1513c4154e5a4b4cd641a69c4 100644
--- a/tests/PHPUnit/System/expected/test_OneVisitor_NoKeywordSpecified__Live.getLastVisitsDetails_day.xml
+++ b/tests/PHPUnit/System/expected/test_OneVisitor_NoKeywordSpecified__Live.getLastVisitsDetails_day.xml
@@ -8,7 +8,7 @@
<actionDetails>
<row>
<type>action</type>
- <url>http://example.org/this%20is%20cool!</url>
+ <url>http://example.org/this%20is%20cool!?filter=<script>alert(1);</script>{"place":{"place":"0c5b2444-70a0-4932-980c-b4dc0d3f02b5"}}</url>
<pageTitle />
<pageIdAction>2</pageIdAction>
@@ -109,8 +109,8 @@
<actionDetails>
<row>
<type>action</type>
- <url>http://example.org/this%20is%20cool!</url>
- <pageTitle>incredible title!</pageTitle>
+ <url>http://example.org/this%20is%20cool!?filter=<script>alert(1);</script>{"place":{"place":"0c5b2444-70a0-4932-980c-b4dc0d3f02b5"}}</url>
+ <pageTitle>incredible title! (Page URL contains a HTML entity)</pageTitle>
<pageIdAction>2</pageIdAction>
<pageId>1</pageId>
@@ -124,7 +124,7 @@
<revenue>0</revenue>
<goalPageId />
- <url>http://example.org/this%20is%20cool!</url>
+ <url>http://example.org/this%20is%20cool!?filter=<script>alert(1);</script>{"place":{"place":"0c5b2444-70a0-4932-980c-b4dc0d3f02b5"}}</url>
<icon>plugins/Morpheus/images/goal.png</icon>
</row>