Regression analysis 5.3.1 (and 4.6.38?) (fixed 5.3.2) Wordpress merge screen urls broken
What happened?
A security fix to prevent Cross browser scripting attacks was overzealous and url-encoded already encoded urls. This still worked on Drupal but not on Joomla! & Wordpress
**How & When was it addressed **
The bug was released in 5.3.1. It was identified a week later and a release with the fix was issued within 24 hours.
How did the regression fit with our processes?
Security fixes are notoriously risky as they affect all sorts of flows that are hard to test and as of this month they are no longer going through the rc process. It's hard to see how we can avoid errors that affect some flows without markedly more resources. A quick fix to any issues is probably the correct and sensible process.
Recommendations going forwards
Our goal is to move to greater & greater precautionary escaping & preferably move to opt-out escaping in Smarty (although possibly not until the 4.6 LTS has expired at the end of the year in order to keep this work manageable). Ensuring ALL urls are handled the same at the php layer will help substantially here. We should deprecate passing $queryParams as a string to the CRM_System_Url function. We should also come up with a tpl marker like escape|none to indicate where we know we have done this