Add smarty:nodefaults to default.tpl form.

[braders]

This allows core forms (e.g. search forms) to submit correctly,
even with CIVICRM_SMARTY_DEFAULT_ESCAPE mode.

Without this change, quote marks were turned into HTML attributes,
meaning the form essentially had no method or action.

Before

After

Technical Details

This seemed to be affecting all search forms, and probably other forms as well. This fix was developed in a WordPress context, but I assume the same flaw existed on Drupal/Joomla too.

[civibot]

(Standard links)

• If this is your first pull-request for CiviCRM, please browse CONTRIBUTING.md for information about the development and testing processes.
• If you are reviewing this pull-request, you may wish to consult the test sites and the Review Standards (long template, short template).

[braders]

Ping @eileenmcnaughton, I was pretty surprised this hadn't been fixed already; I assume I'm not missing something obvious? Or is this just a sign of just how new CIVICRM_SMARTY_DEFAULT_ESCAPE is?

[braders]

Ping @eileenmcnaughton, I was pretty surprised this hadn't been fixed already; I assume I'm not missing something obvious? Or is this just a sign of just how new CIVICRM_SMARTY_DEFAULT_ESCAPE is?

@eileenmcnaughton In an example of classic rubber-ducking, having asked the question, I think I've now spotted what I was missing. In CRM_Core_Smarty there is a check for strpos($string, '/civicrm/') === 0. On Drupal that would be be true as the form action would be something like /civicrm/contact/search/advanced. However, on WordPress the action would be more like /wp-admin/admin.php?page=CiviCRM&q=civicrm%2Fcontact%2Fsearch%2Fadvanced&reset=1. Notice the absence of slashes around "civicrm" on WordPress!

Therefore I'm guessing you've been testing on Drupal where everything has been working fine.

I actually don't love the check on strpos($string, '/civicrm/') === 0 - it feels so generic that it almost invalidates the exercise of adding default escaping, so I think this PR is still relevant and I'd be in favour of removing that check in CRM_Core_Smarty (it is marked as short-term after all).

I think I can see a few other symptoms of the same problem in my WordPress install, but its actually surprising how well it all seems to be working regardless. If you're in agreement with my thinking here I should be able to open a few more PRs to tackle the other bits I've noticed here and then maybe we can remove the strpos($string, '/civicrm/') === 0 check.

[eileenmcnaughton]

@braders I totally agree with your analysis - I added those skips to get to the point where the site loads & basically works but I think the correct answer is to update the tpls with smarty:nodefaults in every place which should not be escaped - it's just that it will take a bit to get to that point