Thread

My web site is breaking in Firefox (only, so far), and only if a visitor has previously clicked on an email link generated by Campaign Monitor.

There is a known issue with Campaign Monitor, which automatically generates trackable links for Google Analytics. Depending on how the email is composed, those trackable links can include characters that are disallowed by ExpressionEngine.

I don’t think I’m dealing with the same issue, because visitors using Firefox to browse my web site are fine UNTIL they click on a trackable link; then the web site, all of it, breaks.

You can recreate the problem by following these links in Firefox, in order. (If you really want to have fun, open each in a new tab or window, and when the last link breaks, reload each of the previous tabs. All of them, including the home page, will break.)

* Home page: http://www.cornwallalliance.org/

* Blog post: http://www.cornwallalliance.org/blog/item/video-highlights-the-household-costs-of-energy-policy/

* Trackable link: http://tinyurl.com/lrvl7o (forwards to a much longer URL: the blog post plus GA tracking—

"?utm_medium=email&utm_source=email newsletter&utm_content=0&utm_campaign=Alert+SGA+video+_+drkiuy&utm;_term=


Video+highlights+the+household+costs+of+energy+policy"

)

Campaign Monitor link: http://go.cornwallalliance.org/t/r/l/drkiuy/l/j (forwards to the same URL as the trackable link)

I can reproduce with Firefox, but only Firefox. All other browsers at my disposal work just fine. What version and build of EE are you using? My guess is that FF, for whatever reasons, tries to set a cookie containing characters EE considers illegal. Clearing cookies makes the sites work again.

Intriguing thought. I know that GA sets a cookie; maybe the CampaignMonitor redirect (http://go.cornwallalliance.org/t/r/l/drkiuy/l/j) sets a cookie, too, that my EE site is trying to access.

I’ve not noticed this issue before, and we’ve been using CM and EE for months. Are any other Campaign Monitor users getting a “Disallowed Key Characters” error that then persists—i.e. it breaks not only the Google Analytics utm tagged link, but all subsequent visits to the web site?

let’s do a quick test.  Look at system/core/core.input.php at line 446 you’ll see:

if ( ! preg_match("#^[a-z0-9\:\_\/\-]+$#i", $str))
{
    exit('Disallowed Key Characters');
}

Change that to:

if ( ! preg_match("#^[a-z0-9\:\_\/\-]+$#i", $str))
{
    exit('Disallowed Key Characters: ' . $str);
}

This way was can see what the offending key is.  When we have it, change the code back to what it was & let us know what you find.

-greg

The result is the same at all four links (home page, blog post, trackable link, and CM link:

Disallowed Key Characters: Video_highlights_the_household_costs_of_energy_policy|utmcct

It’s the vertical bar, I’m betting. For a quick fix you could try to add it to the regex in the code above:

if ( ! preg_match("#^[a-z0-9\:\_\/\-\|]+$#i", $str))
{
    exit('Disallowed Key Characters');
}

Thanks, Ingmar.

For kicks, what are the long-term ramifications (security or otherwise) of allowing the pipe?

Quena, this was only meant as a quick way to verify our findings. Now that we have tracked down the culprit, I recommend to contact the software vendor who is creating the cookie and ask them to use safe characters.

Any permanent hacks would be done at your own risk, and are advised against in the strongest possible terms.