[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#172132: pkgreport.cgi doesn't cope with & where & is expected

On Sat, Dec 07, 2002 at 03:37:56PM +0000, Darren Salt wrote:
> Package: debbugs
> Version: 2.3-4
> Tags: patch

(Note that 2.4 is current, in experimental.)

> Arguably, pkgreport.cgi etc. not coping with & where & is expected is
> correct behaviour, but there are one or two browsers which don't decode
> character entities in URLs (in the case of at least one such browser, it was
> a design decision based on & in URLs often being a literal & rather than
> marking the start of a character entity).
> Better to be liberal in what you accept :-)

I think this patch is wrong, because it would break any argument that
really looked like 'amp;' (granted, there are none at the moment, but if
we started allowing ';' as an argument separator as is done elsewhere
then it begins to look more plausible).

Note that at least CGI.pm behaves the same way, so these browsers have a
great deal of work ahead of them if they want to be correct. I honestly
think that the browsers you refer to ought to be changed to be more
liberal in what they accept. :-) In other words, attempt to parse & as
the start of a character entity, and treat it as a literal & if that
fails. Other approaches are just blatantly incompatible with HTML (4.01
section 5.3.2).

The only correct way I can think of to work around this browser
brokenness is to start accepting ';' as an argument separator and using
it in links. I'd have to check rather carefully to see whether there's
anything that this would break.

Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to: