|Subject:||startform( -action=... ) URL encoding change breaks existing code|
New code in startform() routine causes <form action="..."> value strings to now be URL encoded and made to fail. Subsequent submissions die with 404 errors. This causes pre-existing code to fail with version 2.99. Version 2.99 added a line to startform(): $action = escape($action); forcing action values to be URL encoded. This causes preexisting code such as: print start_form( -name => 'formdsply', -method => 'POST', -action => "/cgi-bin/wacs/testing2.pl" ); to now generate HTML thusly: action="%2Fcgi-bin%2Fwacs%2Ftesting2.pl" This causes browsers (here IE 6.0SP1 on WinXP) to interpret this as POSTing toand then receive a 404 error response. Apparent workaround (tested) is to change code to read print start_form( -name => 'formdsply', -method => 'POST', -action => "testing2.pl" ); which generates action="testing2.pl" which gets us to correct place as testing2.pl is within the same directory. But how then does one refer to another directory with 2.99? Backing off and installing 2.98 is also a workaround that fixes the problem. Revision History says merely "Patch from Ewann Corvellec to fix cross-site scripting vulnerability." hardly pointing out a major HTML generation incompatibility.