URL encode Bug in Autocomplete on Magento 2 - potential security issue

Hi,
it looks like there is a bug in autocomplete. When it constructs a hit to a facet that contains a &, the & is not urlencoded (into %26), which currently just breaks the link. However this might have further security implications I cannot oversee, as obvisouly the remaining part of the facet value is now interpreted as a separate URL part.

Example: Go to www.bobbie.de, and put Godelmann in the search box. You will get results with products, no categories and at the bottom also the full vendor (“Hersteller”) name, “Godelmann Gmbh & Co. KG”. This link goes to https://www.bobbie.de/catalogsearch/result/?q=Godelmann%20GmbH%20&%20Co.%20KG&refinement_key=udropship_vendor
Which should in fact be
https://www.bobbie.de/catalogsearch/result/?q=Godelmann%20GmbH%20%26%20Co.%20KG&refinement_key=udropship_vendor

Hi @alex1 I’m not able to replicate the issue. I’m seeing the url encoding when I click on the facet. Are you clicking somewhere else?

Hi,

klicking here:

Hi @alex1, thanks for pointing this out! It is a bug as the hit.value isn’t encoded for our additional_sections and is rendered as is in the URL.

You can fix it by recreating this section using our hook. This is an example of how to modify a section in autocomplete that you can use as an inspiration:

Thanks Cindy. Will do.

1 Like