Security update for Core, with self-updated composer

[yaffs-website] / web / core / lib / Drupal / Component / Utility / UrlHelper.php

diff --git a/web/core/lib/Drupal/Component/Utility/UrlHelper.php b/web/core/lib/Drupal/Component/Utility/UrlHelper.php
index 3127eaba64113d0800d2d6d51671708d6880024d..372803590d331436291d563271830036a1cf27f7 100644 (file)
--- a/web/core/lib/Drupal/Component/Utility/UrlHelper.php
+++ b/web/core/lib/Drupal/Component/Utility/UrlHelper.php
@@ -148,6 +148,11 @@ class UrlHelper {
     $scheme_delimiter_position = strpos($url, '://');
     $query_delimiter_position = strpos($url, '?');
     if ($scheme_delimiter_position !== FALSE && ($query_delimiter_position === FALSE || $scheme_delimiter_position < $query_delimiter_position)) {
+      // Split off the fragment, if any.
+      if (strpos($url, '#') !== FALSE) {
+        list($url, $options['fragment']) = explode('#', $url, 2);
+      }
+
       // Split off everything before the query string into 'path'.
       $parts = explode('?', $url);
 
@@ -158,12 +163,7 @@ class UrlHelper {
       }
       // If there is a query string, transform it into keyed query parameters.
       if (isset($parts[1])) {
-        $query_parts = explode('#', $parts[1]);
-        parse_str($query_parts[0], $options['query']);
-        // Take over the fragment, if there is any.
-        if (isset($query_parts[1])) {
-          $options['fragment'] = $query_parts[1];
-        }
+        parse_str($parts[1], $options['query']);
       }
     }
     // Internal URLs.