Re: escape_html("Location") ?!??!

["Roy T. Fielding" <fi...@kiwi.ics.uci.edu>]

In message <34...@Golux.Com>, Rodent of Unusual Size writes:
>PR#1412 remarks that '#' in a Location: response header returned
>by a CGI script gets escaped to '%23', which is obviously not
>right.  Looking into it a little more closely, I find the following
>in http_protocol.c:
>
>   case REDIRECT:
>   case MOVED:
>       bvputs(fd, "The document has moved <A HREF=\"",
>              escape_html(r->pool, location), "\">here</A>.<P>\n", NULL);
>       break;
>
>escape_html?  Excuse me?  Wrong call for sure.  It's unclear to
>me that any escaping should be done here at all; if there should
>be, it should be URL-encoding.

Nope, that is the right call.  The URL should already be encoded at that
point -- the HTML escaping is for any "&", which is a reserved character
in HTML CDATA (the attribute data type for href).

....Roy

Re: escape_html("Location") ?!??!

[Rodent of Unusual Size <Ke...@Golux.Com>]

Roy T. Fielding wrote:
> 
> Nope, that is the right call.  The URL should already be encoded at that
> point -- the HTML escaping is for any "&", which is a reserved character
> in HTML CDATA (the attribute data type for href).

But then something like "http://host/cgi-bin/foo?&a=1&b=2" will be
broken.  It will be turned into "http://host/cgi-bin/foo&a=1&b=2".
That can't be right, since it not only re-injects an ampersand but
sticks an HTML character entity into an HTTP element..

How is a response header field like this

    Location: http://host/cgi-bin/foo&a=1&b=2

valid HTTP?

#ken	P-)}