httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <>
Subject Re: escape_html("Location") ?!??!
Date Sun, 25 Jan 1998 09:14:35 GMT
>> Nope, that is the right call.  The URL should already be encoded at that
>> point -- the HTML escaping is for any "&", which is a reserved character
>> in HTML CDATA (the attribute data type for href).
>But then something like "http://host/cgi-bin/foo?&a=1&b=2" will be
>broken.  It will be turned into "http://host/cgi-bin/foo&amp;a=1&amp;b=2".
>That can't be right, since it not only re-injects an ampersand but
>sticks an HTML character entity into an HTTP element..
>How is a response header field like this
>    Location: http://host/cgi-bin/foo&amp;a=1&amp;b=2
>valid HTTP?

Ummm, what piece of code are you talking about? The one I was referring
to was only calling escape_html within the print statement that was
outputing the HTML file containing an anchor to the location.  The
Location header field is set long before that call.


View raw message