[Tickets #14148] Re: vacation, spam & forward double encoding
noreply at bugs.horde.org
noreply at bugs.horde.org
Mon Nov 2 19:28:37 UTC 2015
BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE
E-MAIL-ADRESSE WERDEN NICHT GELESEN.
Ticket-URL: https://bugs.horde.org/ticket/14148
------------------------------------------------------------------------------
Ticket | 14148
Aktualisiert Von | Jan Schneider <jan at horde.org>
Zusammenfassung | vacation, spam & forward double encoding
Warteschlange | Horde Framework Packages
Typ | Bug
Status | Feedback
Priorität | 1. Low
Milestone |
Patch |
Zuständige | Michael Rubinsky
------------------------------------------------------------------------------
Jan Schneider <jan at horde.org> (2015-11-02 20:28) hat geschrieben:
>> This isn't correct and opens a security issue in Horde_Form. We
>> should probably rather make sure that we don't pass the encoded URL
>> to Horde_Form from Ingo. Probably need to set ->raw in the passed
>> Horde_Url.
>
> But it's not already encoded.
Horde_Url objects are always encoded by default if printed (or casted
to string fwiw).
> What was removed was the "action" attribute being run through
> htmlspecialchars, which isn't really appropriate for encoding an
> actual URL. e.g.:
>
> htmlspecialchars('/some/page.php?foo=bar&bar=foo')
>
> does not result in a valid, working url.
It does. Because this happens where the URL is *printed*. The result
is of course not a valid URL, but a correctly encoded URL to be
embedded into a HTML page.
More information about the bugs
mailing list