httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@kiwi.ics.uci.edu>
Subject Re: escape_html("Location") ?!??!
Date Sun, 25 Jan 1998 09:14:35 GMT
>> Nope, that is the right call.  The URL should already be encoded at that
>> point -- the HTML escaping is for any "&", which is a reserved character
>> in HTML CDATA (the attribute data type for href).
>
>But then something like "http://host/cgi-bin/foo?&a=1&b=2" will be
>broken.  It will be turned into "http://host/cgi-bin/foo&amp;a=1&amp;b=2".
>That can't be right, since it not only re-injects an ampersand but
>sticks an HTML character entity into an HTTP element..
>
>How is a response header field like this
>
>    Location: http://host/cgi-bin/foo&amp;a=1&amp;b=2
>
>valid HTTP?

Ummm, what piece of code are you talking about? The one I was referring
to was only calling escape_html within the print statement that was
outputing the HTML file containing an anchor to the location.  The
Location header field is set long before that call.

....Roy

Mime
View raw message