View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007947 | OXID eShop (all versions) | 1.04. Content, static (register, contact etc.) pages | public | 2026-05-13 08:29 | 2026-05-13 08:39 |
| Reporter | michael_keiluweit | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Product Version | 7.5.0 | ||||
| Summary | 0007947: Password recovery e-mail templates ship URLs with literal & instead of & | ||||
| Description | The two password-recovery e-mail templates (oxupdatepassinfoemail / oxupdatepassinfoplainemail) in core ship with hardcoded `&` HTML entities inside the activation URL. HTML readers decode the entities back and the link works by accident; **plain-text readers and copy-paste produce a broken URL** (`uid` becomes `amp;uid`, server can't find the user, forgot-password flow fails silently). Source: `vendor/oxid-esales/oxideshop-ce/source/Internal/Setup/Database/Sql/initial_data.sql` Affected DB rows in `oxcontents`: - `oxupdatepassinfoemail` (HTML, both `OXCONTENT` DE and `OXCONTENT_1` EN) - `oxupdatepassinfoplainemail` (Plain text, both DE and EN) — **worse case, user sees `&` raw** Buggy line (4 occurrences across the two rows): ``` …index.php?cl=forgotpwd&uid=…&lang=…&shp=… ``` Should be: ``` …index.php?cl=forgotpwd&uid=…&lang=…&shp=… ``` Same symptom as bug 0007852 (fixed in b2b-buying-agent-module PR-4) but a different root cause: that one was a Twig autoescape issue solved with `|raw`; this one is a hardcoded entity in shipped SQL data. | ||||
| Steps To Reproduce | 1. Fresh 7.x install with demo data + SMTP catcher (Mailpit at mailpit:8025). 2. Trigger forgot-password (existing user e-mail) 3. Inspect mail body — both HTML and Plain: HTML: href="…cl=forgotpwd&uid=…&lang=0&shp=1" Plain: …cl=forgotpwd&uid=…&lang=0&shp=1 5. Simulate a plain-text user / copy-paste: # & becomes literal, server reads "amp;uid" not "uid" - **Expected:** URL uses plain `&` everywhere (href + visible link text + plain body). - **Actual:** All four occurrences contain `&`. Plain-text reader and copy-paste users get a broken link. | ||||
| Additional Information | 1. `initial_data.sql`: replace every `&` with `&` inside the two affected rows (4 columns total: OXCONTENT + OXCONTENT_1 for each). 2. Migration: update `oxcontents` rows for existing installs, otherwise the bug persists after upgrades. | ||||
| Tags | No tags attached. | ||||
| Theme | Not defined | ||||
| Browser | Not defined | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
