Group names containing '&' not being url encoded

Page URL: Rey&Reina - Roblox
Impact: Moderate
Frequency: Very Rare
Date First Experienced:
Date Last Experienced:

Reproduction Steps:
Go to the impacted page url and click see all.

Expected Behavior:
I expect clicking view store to take you to the store of the group you clicked view store from, in this case Rey&Reina group catalog.

Actual Behavior:
Instead clicking view store takes you to Rey group catalog.

Workaround:
I use this url encoder https://www.urlencoder.org/ and replace the CreatorName manually. It would honestly be much nicer if instead of using the CreatorName as the distinguishing field, Roblox used UserId/GroupId

11 Likes

Not many people are very attracted to this, but I’m going to go ahead and bump it with some reasons why it needs to be fixed
First of all, this is a moderation team nightmare. This can be used to hide shirts in a group in multiple ways, which if a moderator tries to view the group’s store items they’ll not see any scams lying beneath like botted shirts, fake shirts pretending to be gamepasses etc. all by adding an & to the end of the group name.
Not only is there that, but as a proof of concept for potential malicious redirect, this group I made is capable of adding URL parameters to the store, and if any were to be exploited they could potentially redirect users to a different site.

The link I posted when pressing “See All” will add 3 parameters which sets the store filter to only find shirts with a minimum and maximum price of 0. This is very weak but like I said, it can restrict moderation and could be possibly exploited for worse.

7 Likes

This issue should be fixed now. Thanks for the report!

4 Likes