[Tickets #5257] Double-"&" when using Horde::selfUrl(true) in combination with Horde_Form_Renderer
bugs at bugs.horde.org
bugs at bugs.horde.org
Sun Apr 15 20:41:34 UTC 2007
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=5257
-----------------------------------------------------------------------
Ticket | 5257
Created By | thomas at gelf.net
Summary | Double-"&" when using Horde::selfUrl(true) in combination with
| Horde_Form_Renderer
Queue | Horde Framework Packages
Version | HEAD
Type | Bug
State | Unconfirmed
Priority | 1. Low
Owners |
-----------------------------------------------------------------------
thomas at gelf.net (2007-04-15 13:41) wrote:
Since this modification:
http://cvs.horde.org/diff.php?r1=1.211&r2=1.212&f=framework%2FForm%2FForm%2FRenderer.php
using Horde_Form_Renderer in conjunction with Horde::selfUrl(true) fails,
as
it creates form actions with double-"&"-ed URLs.
Explanation:
-> Horde_Form_Renderer's open() function has been modified in a way that
it applies htmlspecialchars() to the form's "action" parameter
-> While this has for sure been done for some good reason (prevent XSS?)
it becames a problem if someone (some application) would like to pass
an already well-formed URL to renderActive()
-> This happens for example when I pass Horde::selfUrl(true) as the
$action
param to renderActive()
-> Horde::selfUrl() calls Horde::url(), and and Horde::url() calls
htmlentities()
if there is no full Url to be created and if is no & already to be
found
within the Url.
Kind regards,
Thomas Gelf
More information about the bugs
mailing list