BBCode send Text to an URL Query but does not encode & / Ampersand symbol

Get help developing custom BBCodes or request one.
LordRazen
Registered User
Posts: 14
Joined: Tue Dec 20, 2022 2:38 pm

BBCode send Text to an URL Query but does not encode & / Ampersand symbol

Post by LordRazen »

Code: Select all

[command]{URL}[/command]

Code: Select all

<iframe src="../command?cmd={URL}" style="width:100%" scrolling="no"></iframe>
I got a BBCode which sends the Input between the brackets to a certain URL and the result is shown in an iframe.

It's basically a kind of visualizer.

Now I face the problem, that "&" symbols are not converted to ASCII in the URL and therefor completly bread the url query.

Is there any way on how I can fix this?
Last edited by HiFiKabin on Sun Jan 21, 2024 5:27 pm, edited 1 time in total.
Reason: Moved to Custom BBCode Development and Requests
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26702
Joined: Fri Aug 29, 2008 9:49 am

Re: BBCode send Text to an URL Query but does not encode & / Ampersand symbol

Post by Mick »

It’s not recommended to use ‘&’ in URLs, it needs to be escaped like %26 for example.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel©
🇬🇧
LordRazen
Registered User
Posts: 14
Joined: Tue Dec 20, 2022 2:38 pm

Re: BBCode send Text to an URL Query but does not encode & / Ampersand symbol

Post by LordRazen »

Is there any possibility for me to do this encoding with the regular BBCode possibilities?
MedicineStorm
Registered User
Posts: 31
Joined: Fri Oct 29, 2021 4:58 pm

Re: BBCode send Text to an URL Query but does not encode & / Ampersand symbol

Post by MedicineStorm »

Does the output have to be a functional URL? How much control do you have over how the input to the cmd variable is treated? The reason I ask is because, if you can control how the command page "decodes" the url, then it could be possible:

Code: Select all

<iframe style="width:100%" scrolling="no">
	<xsl:attribute name="src">
		../command?cmd=<xsl:value-of select="translate(@content, '&?', '&?')"/>
	</xsl:attribute>
</iframe>
Note that the characters in the 3rd parameter of the xsl translate() command are not & and ?, they are homoglyphs. They look similar but aren't special URL characters so they aren't treated as part of the parent URL. If the goal is less about it looking like a URL, and more about it being easy to "decode", you could use any non-URL character to substitute for & and ?. For instance using the following HTML replacement:

Code: Select all

<iframe style="width:100%" scrolling="no">
	<xsl:attribute name="src">
		../command?cmd=<xsl:value-of select="translate(@content, '&?', '@$')"/>
	</xsl:attribute>
</iframe>
This BBCode:
[command]https://www.phpbb.com/community/viewtopic.php?p=15994267&arbitraryvariable=yep[/command]
would create the following tag:
<iframe style="width:100%" scrolling="no" src="../command?cmd=https://www.phpbb.com/community/viewtopic.php$p=15994267@arbitraryvariable=yep"></iframe>

Unfortunately, the translate() command can only replace a single character with a single character. No single-character-to-multiple-character replacements allowed. Otherwise, you could just replace & with %26, and ? with %3F, et cetera.

Does that help at all? I don't know what exactly cmd= needs, or if you have some control over how that ../command page deals with the input so I don't know if this is going to work for you, but I figured I'd throw this at you as a possibility since I hate when my own questions get left on read :/

Return to “Custom BBCode Development and Requests”