| Summary | Double-"&" when using Horde::selfUrl(true) in combination with Horde_Form_Renderer |
| Queue | Horde Framework Packages |
| Queue Version | HEAD |
| Type | Bug |
| State | Not A Bug |
| Priority | 1. Low |
| Owners | |
| Requester | thomas (at) gelf (dot) net |
| Created | 04/15/2007 (6783 days ago) |
| Due | |
| Updated | 04/17/2007 (6781 days ago) |
| Assigned | |
| Resolved | 04/17/2007 (6781 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
State ⇒ Not A Bug
(third arg is the important one)
State ⇒ Unconfirmed
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ Double-"&" when using Horde::selfUrl(true) in combination with Horde_Form_Renderer
Queue ⇒ Horde Framework Packages
http://cvs.horde.org/diff.php?r1=1.211&r2=1.212&f=framework%2FForm%2FForm%2FRenderer.php
using Horde_Form_Renderer in conjunction with Horde::selfUrl(true) fails, as
it creates form actions with double-"&"-ed URLs.
Explanation:
-> Horde_Form_Renderer's open() function has been modified in a way that
it applies htmlspecialchars() to the form's "action" parameter
-> While this has for sure been done for some good reason (prevent XSS?)
it becames a problem if someone (some application) would like to pass
an already well-formed URL to renderActive()
-> This happens for example when I pass Horde::selfUrl(true) as the $action
param to renderActive()
-> Horde::selfUrl() calls Horde::url(), and and Horde::url() calls
htmlentities()
if there is no full Url to be created and if is no & already
to be found
within the Url.
Kind regards,
Thomas Gelf