You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rodent of Unusual Size <Ke...@Golux.Com> on 1998/01/20 16:42:01 UTC
escape_html("Location") ?!??!
PR#1412 remarks that '#' in a Location: response header returned
by a CGI script gets escaped to '%23', which is obviously not
right. Looking into it a little more closely, I find the following
in http_protocol.c:
case REDIRECT:
case MOVED:
bvputs(fd, "The document has moved <A HREF=\"",
escape_html(r->pool, location), "\">here</A>.<P>\n", NULL);
break;
escape_html? Excuse me? Wrong call for sure. It's unclear to
me that any escaping should be done here at all; if there should
be, it should be URL-encoding.
escape_html() doesn't appear to touch anything except '<', '>', and
'&', though, so the problem with '#' is probably not arising here.
I just stumbled across this while researching.
Before I delve into this more deeply, does anyone have an explanation
for this escape_html() call?
#ken P-)}
Re: escape_html("Location") ?!??!
Posted by Dean Gaudet <dg...@arctic.org>.
It should be escape_uri.
Dean
On Tue, 20 Jan 1998, Rodent of Unusual Size wrote:
> PR#1412 remarks that '#' in a Location: response header returned
> by a CGI script gets escaped to '%23', which is obviously not
> right. Looking into it a little more closely, I find the following
> in http_protocol.c:
>
> case REDIRECT:
> case MOVED:
> bvputs(fd, "The document has moved <A HREF=\"",
> escape_html(r->pool, location), "\">here</A>.<P>\n", NULL);
> break;
>
> escape_html? Excuse me? Wrong call for sure. It's unclear to
> me that any escaping should be done here at all; if there should
> be, it should be URL-encoding.
>
> escape_html() doesn't appear to touch anything except '<', '>', and
> '&', though, so the problem with '#' is probably not arising here.
> I just stumbled across this while researching.
>
> Before I delve into this more deeply, does anyone have an explanation
> for this escape_html() call?
>
> #ken P-)}
>