ublock href-sanitizer not working correctly as expected

Question

ublock href-sanitizer not working correctly as expected

Closed this issue 4 months ago · 7 comments

hurgir commented 4 months ago

Prerequisites

I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
This is NOT a YouTube, Facebook or Twitch report. These sites MUST be reported by clicking their respective links.
This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
The issue is not present after disabling uBO in the browser.
I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

uBO is the only extension.
uBO uses default lists and settings.
using a new, unmodified browser profile.

Description

ublock href-sanitizer scriplet does not show the desired behavior for links containing the % character in it. The same works as expected with the adguard addon and the filter rule.

A specific URL where the issue occurs.

https://forum.donanimhaber.com/mesaj/yonlen/159073416
https://forum.donanimhaber.com/mesaj/yonlen/159073515

Steps to Reproduce

1.add forum.donanimhaber.com##+js(href-sanitizer, a[href*="/ExternalLinkRedirect"][href*="url="], ?url) rule to my filters.
2.go to https://forum.donanimhaber.com/mesaj/yonlen/159073416
3.click on the amazon.com.tr link on the page

Expected behavior

direct access and opening of the desired site https://www.amazon.com.tr/Arzum-ARZUM-AR5029-ROSY-EP%C4%B0LAT%C3%96R/dp/B07F739SBS?language=tr_TR

Actual behavior

redirect to https://forum.donanimhaber.com/ExternalLinkRedirect?module=after-renderer-for-new-editor&messageId=159073416&url=https://www.amazon.com.tr/Arzum-ARZUM-AR5029-ROSY-EP%c4%b0LAT%c3%96R/dp/B07F739SBS

uBO version

1.58.0

Browser name and version

Brave 1.67.123 Chromium: 126.0.6478.126

Operating System and version

macOS Sonoma 14.5

Answer 1 · 2024-07-12T15:29:51.000Z

Hello, when I apply the rule

forum.donanimhaber.com##+js(href-sanitizer, a[href*="/ExternalLinkRedirect"][href*="url="], ?url)

and click on the link at this address: https://forum.donanimhaber.com/mesaj/yonlen/158899898, it redirects to https://www.temu.com/goods.html?_bg_fs=1 and truncates the rest of the link. However, the link in this message works as expected: https://forum.donanimhaber.com/mesaj/yonlen/158901348.
I noticed that the links which do not work correctly contain the word 'html'.

browser
Brave uBlock Origin development build
Version 1.58.1.103

Answer 2 · 2024-07-12T17:10:12.000Z

it redirects to https://www.temu.com/goods.html?_bg_fs=1

It's a site issue, it's not properly encoding the URL.

Answer 3 · 2024-08-12T12:12:05.000Z

I'm not sure if I should open a new issue, so I'm writing here instead.

1.Add the following filter: onual.com##+js(href-sanitizer, a[href*="https://zxro.com/u/"][href*="url="], ?url)
2.Visit the address: https://onual.com/fiyat/ltb-lacivert-kazak-011241601051219-301-001-p-1840974.html#fiyat=165&kullanici=95
3.Click on the "Ürüne Git" button.
uBlock Origin redirects to https://zxro.com/u/?url=https%3A%2F%2Fwww.n11.com%2Farama%3Fq%3DLtb+Lacivert+Kazak+011241601051219_301+001

The same page, when accessed with the AdGuard Chrome extension and applying the same filter rule, redirects as expected to https://www.n11.com/arama?q=Ltb%20Lacivert%20Kazak%20011241601051219_301%20001

Answer 4 · 2024-08-12T14:39:17.000Z

The URL parameter is not properly encoded by the website. The parameter value used is:

https%3A%2F%2Fwww.n11.com%2Farama%3Fq%3DLtb+Lacivert+Kazak+011241601051219_301+001

When properly encoded, it should have been:

https%3A%2F%2Fwww.n11.com%2Farama%3Fq%3DLtb%2520Lacivert%2520Kazak%2520011241601051219_301%2520001

Answer 5 · 2024-08-12T17:28:18.000Z

When properly encoded, it should have been:

It doesn't seem so, as there are double-encoded spaces in your URL, from %20 to %2520, but %20 is already encoded space just like +, hence no need to encode it twice.

Answer 6 · 2024-08-12T17:35:46.000Z

double-encoded spaces in your URL

Yes, because the URL is a parameter, it needs to go through encodeURIComponent. Just try at the console:

let realURL = new URL('https://www.n11.com/arama?q=Ltb Lacivert Kazak 011241601051219_301 001');
console.log(realURL.href);

let trackerURL = new URL('https://example.com/');
trackerURL.searchParams.set('url', realURL.href);
console.log(trackerURL.href);

Output:

https://www.n11.com/arama?q=Ltb%20Lacivert%20Kazak%20011241601051219_301%20001
https://example.com/?url=https%3A%2F%2Fwww.n11.com%2Farama%3Fq%3DLtb%2520Lacivert%2520Kazak%2520011241601051219_301%2520001

Answer 7 · 2024-08-12T18:30:28.000Z

The URL parameter is not properly encoded by the website.

What I don't get is why then browsers and AdGuard tolerate such URLs and don't make a problem of it.
Also I wonder why uBlock href-sanitizer didn't follow browsers's or AdGuard's apporach: to tolerate it.
(maybe due to risk of breakage or for security concerns).

@hurgir, your both issues have been fixed now in uBO 1.59.1b2 (see the commit above).