escape_html("Location") ?!??!

[Rodent of Unusual Size <Ke...@Golux.Com>]

PR#1412 remarks that '#' in a Location: response header returned
by a CGI script gets escaped to '%23', which is obviously not
right.  Looking into it a little more closely, I find the following
in http_protocol.c:

   case REDIRECT:
   case MOVED:
       bvputs(fd, "The document has moved <A HREF=\"",
              escape_html(r->pool, location), "\">here</A>.<P>\n", NULL);
       break;

escape_html?  Excuse me?  Wrong call for sure.  It's unclear to
me that any escaping should be done here at all; if there should
be, it should be URL-encoding.

escape_html() doesn't appear to touch anything except '<', '>', and
'&', though, so the problem with '#' is probably not arising here.
I just stumbled across this while researching.

Before I delve into this more deeply, does anyone have an explanation
for this escape_html() call?

#ken	P-)}

Re: escape_html("Location") ?!??!

[Dean Gaudet <dg...@arctic.org>]

It should be escape_uri.

Dean

On Tue, 20 Jan 1998, Rodent of Unusual Size wrote:

> PR#1412 remarks that '#' in a Location: response header returned
> by a CGI script gets escaped to '%23', which is obviously not
> right.  Looking into it a little more closely, I find the following
> in http_protocol.c:
> 
>    case REDIRECT:
>    case MOVED:
>        bvputs(fd, "The document has moved <A HREF=\"",
>               escape_html(r->pool, location), "\">here</A>.<P>\n", NULL);
>        break;
> 
> escape_html?  Excuse me?  Wrong call for sure.  It's unclear to
> me that any escaping should be done here at all; if there should
> be, it should be URL-encoding.
> 
> escape_html() doesn't appear to touch anything except '<', '>', and
> '&', though, so the problem with '#' is probably not arising here.
> I just stumbled across this while researching.
> 
> Before I delve into this more deeply, does anyone have an explanation
> for this escape_html() call?
> 
> #ken	P-)}
>