Ticket #6702 (closed Bug: duplicate)

Opened 7 years ago

Last modified 5 years ago

in link document the '&' is quoted

Reported by: encolpe Owned by: alecm
Priority: minor Milestone: 2.5.4
Component: General Version:
Keywords: Cc:

Description

In ATContentTypes/content/link.py theer's a method overloading the get to sanitize the output that ends by:

return quote(value, safe='?$#@/:=+;$,')

The character '&' is not in safe list then it's replaced by '%26'. example:  http://toto.com?a=1&b=2 is returned as  http://toto.com?a=1%26b=2

Is there a security reason ?

Change History

comment:1 Changed 7 years ago by limi

  • Status changed from new to closed
  • Resolution set to invalid

I don't think there's a security issue, but "&" is actually not valid in URLs (it should be & or %26):

 http://htmlhelp.com/tools/validator/problems.html#amp

Re-open if I misunderstood the issue. :)

comment:2 Changed 7 years ago by encolpe

  • Status changed from closed to reopened
  • Resolution invalid deleted

If & is not considered as good in URL & is but %26amp; would make crash other applications. During migration from Plone 2.0.5 link are migrated two times:

  • the first pass gives %26
  • the second pass gives %2526

Atfer the migration links that started with '&' ended with '%2526' and it's a migration bug.

One other point is that external applications on which we create links don't respect HTML standard and split URLs on '?' and '&' to interpret the query. As I cannot ask to IBM to fix that now, can we have an option that authorize crappy '&' ?

comment:3 Changed 7 years ago by limi

  • Status changed from reopened to closed
  • Resolution set to duplicate

Duplicate of #6635

comment:4 Changed 5 years ago by hannosch

  • Component changed from Content Types to Infrastructure

comment:5 Changed 22 months ago by davisagli

  • Component changed from Infrastructure to General
Note: See TracTickets for help on using tickets.