httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <>
Subject Re: escape_html("Location") ?!??!
Date Tue, 20 Jan 1998 23:45:31 GMT
In message <34C4C5C9.3F2CA8F3@Golux.Com>, Rodent of Unusual Size writes:
>PR#1412 remarks that '#' in a Location: response header returned
>by a CGI script gets escaped to '%23', which is obviously not
>right.  Looking into it a little more closely, I find the following
>in http_protocol.c:
>   case REDIRECT:
>   case MOVED:
>       bvputs(fd, "The document has moved <A HREF=\"",
>              escape_html(r->pool, location), "\">here</A>.<P>\n", NULL);
>       break;
>escape_html?  Excuse me?  Wrong call for sure.  It's unclear to
>me that any escaping should be done here at all; if there should
>be, it should be URL-encoding.

Nope, that is the right call.  The URL should already be encoded at that
point -- the HTML escaping is for any "&", which is a reserved character
in HTML CDATA (the attribute data type for href).


View raw message