httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: escape_html("Location") ?!??!
Date Tue, 20 Jan 1998 17:57:39 GMT
It should be escape_uri.

Dean

On Tue, 20 Jan 1998, Rodent of Unusual Size wrote:

> PR#1412 remarks that '#' in a Location: response header returned
> by a CGI script gets escaped to '%23', which is obviously not
> right.  Looking into it a little more closely, I find the following
> in http_protocol.c:
> 
>    case REDIRECT:
>    case MOVED:
>        bvputs(fd, "The document has moved <A HREF=\"",
>               escape_html(r->pool, location), "\">here</A>.<P>\n",
NULL);
>        break;
> 
> escape_html?  Excuse me?  Wrong call for sure.  It's unclear to
> me that any escaping should be done here at all; if there should
> be, it should be URL-encoding.
> 
> escape_html() doesn't appear to touch anything except '<', '>', and
> '&', though, so the problem with '#' is probably not arising here.
> I just stumbled across this while researching.
> 
> Before I delve into this more deeply, does anyone have an explanation
> for this escape_html() call?
> 
> #ken	P-)}
> 


Mime
View raw message