You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by m-...@wickline.org on 2003/04/03 18:01:38 UTC

BUG [in docs] semicolon-separated param pairs fail w/ MSIE in meta redirect tags

Stas wrote:
 > Matthew, can you please repost it to the mod_perl list?
 > There are many more people who can followup on this.
 > Thanks.

I won't be subscribed long enough to read any replies to this mesg, but 
am posting here at Stas' suggestion. Hopefully someone here will be able 
to update the docs if appropriate.

Yesterday I was reading
http://perl.apache.org/docs/tutorials/client/browserbugs/browserbugs.html

and noticed:
     > either you should avoid using such keys
     > or you should separate parameter pairs
     > with ; instead of &

This is fine advice. It's standards compliant and *should* work 
perfectly. In practice, it does work with one exception. MSIE (or at 
least certain recent versions of it) can fail to redirect properly if 
you use ; separators in a URL which is used in a meta redirect tag.

Suppose the URL to which you're redirecting is supposed to contain a 
parameter "volt" with value "1" and another parameter "amp" with a value 
of "2".

The URL could be either of these two if you're using CGI.pm
     http://example.com/?volt=1&amp=2
     http://example.com/?volt=1;amp=2

Since the URL is appearing in HTML, then you have to HTML entity encode 
the URL, which means that the URL in your meta redirect tag needs to be 
either of these two
     http://example.com/?volt=1&amp;amp=2
     http://example.com/?volt=1;amp=2

Either of those *should* work in functional browsers.

However, (at least certain versions of) MSIE will incorrectly read those 
two urls (if found in meta redirects) as
     http://example.com/?volt=1&amp;amp=2
     http://example.com/?volt=1

Note that the second URL lost everything after the semicolon. In 
versions of MSIE which are afflicted in this manner, you can only have 
semicolons in your URL if they are the terminal characters of HTML 
entity encoding sequences.

This means that in your meta redirects you *must* use the encoded & 
character (&amp; or a numeric encoding) to separate your parameter 
name/value pairs *unless* you can be certain that none of your users 
will be using one of the broken browsers.

See also
     http://rt.cpan.org/NoAuth/Bug.html?id=2130

I thought this note might be appropriate to add to
http://perl.apache.org/docs/tutorials/client/browserbugs/browserbugs.html

-matt
(who is now unsubscribing. Thanks for your time :)

semicolon-separated URL param pairs aren't good enough for recent IE?

Posted by Stas Bekman <st...@stason.org>.

Folks, please take a look at this one. (the original subject was misleading, 
as it wasn't a bug in docs per se, but something that earlier everybody has 
agreed upon here on the list and now Matthew has discovered that this is no 
longer correct. Since I'm not using MSIE and can't verify this please help to 
resolve this issue:

Matthew wrote:

> Yesterday I was reading
> http://perl.apache.org/docs/tutorials/client/browserbugs/browserbugs.html
> 
> and noticed:
>     > either you should avoid using such keys
>     > or you should separate parameter pairs
>     > with ; instead of &
> 
> This is fine advice. It's standards compliant and *should* work 
> perfectly. In practice, it does work with one exception. MSIE (or at 
> least certain recent versions of it) can fail to redirect properly if 
> you use ; separators in a URL which is used in a meta redirect tag.
> 
> Suppose the URL to which you're redirecting is supposed to contain a 
> parameter "volt" with value "1" and another parameter "amp" with a value 
> of "2".
> 
> The URL could be either of these two if you're using CGI.pm
>     http://example.com/?volt=1&amp=2
>     http://example.com/?volt=1;amp=2
> 
> Since the URL is appearing in HTML, then you have to HTML entity encode 
> the URL, which means that the URL in your meta redirect tag needs to be 
> either of these two
>     http://example.com/?volt=1&amp;amp=2
>     http://example.com/?volt=1;amp=2
> 
> Either of those *should* work in functional browsers.
> 
> However, (at least certain versions of) MSIE will incorrectly read those 
> two urls (if found in meta redirects) as
>     http://example.com/?volt=1&amp;amp=2
>     http://example.com/?volt=1
> 
> Note that the second URL lost everything after the semicolon. In 
> versions of MSIE which are afflicted in this manner, you can only have 
> semicolons in your URL if they are the terminal characters of HTML 
> entity encoding sequences.
> 
> This means that in your meta redirects you *must* use the encoded & 
> character (&amp; or a numeric encoding) to separate your parameter 
> name/value pairs *unless* you can be certain that none of your users 
> will be using one of the broken browsers.
> 
> 
> See also
>     http://rt.cpan.org/NoAuth/Bug.html?id=2130
> 
> 
> I thought this note might be appropriate to add to
> http://perl.apache.org/docs/tutorials/client/browserbugs/browserbugs.html
> 
> -matt
> (who is now unsubscribing. Thanks for your time :)


-- 


__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com