[dev] Bug 616: URL-to-link in message.php3

[Jon Parise]

On Sat, Feb 17, 2001 at 09:32:02AM -0600, Brent J. Nordquist wrote:

> > the routine used to generate hot links in e-mail messages does not
> > handle URL strings with common operators properly. for instance, mail
> > the following url to yourself:
> >
> > http://whois.nic.or.kr/cgi-bin/newwhois.cgi?VALUE=216.244.174.242&TYPE=++
> >
> > note that the '++' at the end is not included in the link.
> >
> > a *quick look* makes me think the culprit is here in the replace:
> >
> > $tmsg = preg_replace('|(\w+)://([^\s"<]*)([\w#?/&=])|', '<A href="\1://\2\3" target="_blank">\1://\2\3</A>', $tmsg);
> >
> > (imp/message.php3 line 113)
> 
> He's right.  You can see that pattern \3 is only pulling in a specific
> list of characters.  I could add "+" to that list, but that then this may
> come up again.  I was afraid to make it completely liberal (all
> non-whitespace) because I suspect it was done this way for a
> reason (security?).

Isn't the plus sign the character used in place of a space for URL
encoding?  That would make its use illegal in a URL, unless it was
properly encoded.  I suppose '++' could mean "space space", though.

-- 
Jon Parise (jon@csh.rit.edu)  .  Rochester Inst. of Technology
http://www.csh.rit.edu/~jon/  :  Computer Science House Member