When a faceted search URL is crafted with an extra [], it is interpreted by the Facets module's parsing logic as an array. The code does not expect an array and throws a fatal error.
This URL syntax will not typically be produced by a user. Our organization, however, has found *many* instances of it reported in our logs. Based on the patterns, we presume this is bot/spider traffic that is not intended to be malicious but results in querying for invalid parameters.
1. Create a generic faceted search implementation (I used search_api with a single taxonomy entity reference as the facet group).
2. Navigate to /search_page?f[0]=test=1, where "search_page" is the page on which the faceted search exists and "f" is the facet identifier. The remaining parameters can be arbitrary. The page loads, with no errors.
3. Change the URL to /search_page?f[0][0]=test=1. The page will fail to load, with TypeError: explode(): Argument #2 ($string) must be of type string, array given in explode() (line 329 of /code/web/modules/contrib/facets/src/Plugin/facets/url_processor/QueryString.php).
If the query param is "malformed" as defined by being of type array, skip further processing.
Active
3.0
Code