You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Roy T. Fielding" <fi...@kiwi.ics.uci.edu> on 1998/01/21 00:45:31 UTC
Re: escape_html("Location") ?!??!
In message <34...@Golux.Com>, Rodent of Unusual Size writes:
>PR#1412 remarks that '#' in a Location: response header returned
>by a CGI script gets escaped to '%23', which is obviously not
>right. Looking into it a little more closely, I find the following
>in http_protocol.c:
>
> case REDIRECT:
> case MOVED:
> bvputs(fd, "The document has moved <A HREF=\"",
> escape_html(r->pool, location), "\">here</A>.<P>\n", NULL);
> break;
>
>escape_html? Excuse me? Wrong call for sure. It's unclear to
>me that any escaping should be done here at all; if there should
>be, it should be URL-encoding.
Nope, that is the right call. The URL should already be encoded at that
point -- the HTML escaping is for any "&", which is a reserved character
in HTML CDATA (the attribute data type for href).
....Roy
Re: escape_html("Location") ?!??!
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Roy T. Fielding wrote:
>
> Nope, that is the right call. The URL should already be encoded at that
> point -- the HTML escaping is for any "&", which is a reserved character
> in HTML CDATA (the attribute data type for href).
But then something like "http://host/cgi-bin/foo?&a=1&b=2" will be
broken. It will be turned into "http://host/cgi-bin/foo&a=1&b=2".
That can't be right, since it not only re-injects an ampersand but
sticks an HTML character entity into an HTTP element..
How is a response header field like this
Location: http://host/cgi-bin/foo&a=1&b=2
valid HTTP?
#ken P-)}