[Tickets #7926] Re: Message option "Show All Headers" causes error
bugs at horde.org
bugs at horde.org
Tue Feb 17 07:41:21 UTC 2009
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/7926
------------------------------------------------------------------------------
Ticket | 7926
Updated By | Michael Slusarz <slusarz at horde.org>
Summary | Message option "Show All Headers" causes error
Queue | IMP
Version | 4.3.3
Type | Bug
State | Resolved
Priority | 3. High
Milestone |
Patch |
Owners | Horde Developers, Michael Slusarz, Chuck Hagenbuch
------------------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2009-02-17 02:41) wrote:
>> You are right about the '&' trick - it is possible to put a
>> superfluous one in an URL and it will skip the htmlentities() call.
>
> For what we do here, do you agree that escapeOnce (from
> http://cvs.horde.org/co.php/framework/View/lib/Horde/View/Helper/Url.php?r=ccfd50278baa306abee1acd1b310a168f8ae4925) would
> work
> instead?
Not really following that code without any real-life context. But
theoretically, we really shouldn't be "fixing" double escaped
parameters when parsing a URL from form data. If double escaped
parameters exist at that point, either the generating code is broken
and should be fixed or something fishy is occurring. It might be best
to ignore those URLs completely and throw an exception or error rather
than trying to magically fix it.
More information about the bugs
mailing list