Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 3216
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: LDS [...] cpan.org
Requestors: gbrock [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)



Subject: Escaping form "action" confuses Mozilla
Download (untitled) / with headers
text/plain 697b
I gather you added a cross-site scripting fix to CGI.pm 2.99. However the escaping of the default form action causes Mozilla and IE to submit the form to the wrong location. e.g. if the following URL generates a form (with "start_form") but does not specify an "-action" acttribute: http://foo/bar/test.cgi then the form will have the following action: CGI.pm 2.98 action="/bar/test.cgi" CGI.pm 2.99 action="%2Fbar%2Ftest.cgi" The 2.99 version causes the browser to submit to the form to: http://foo/bar/2Fbar%2Ftest.cgi I guess the $action=escape($action) at line 1648 is not quite what you want. Gavin Tested with perl 5.6.0 5.6.1 and 5.8 on Solaris, Linux and OpenBSD
Download (untitled) / with headers
text/plain 843b
Fixed in 3.00 [GBROCK - Tue Aug 12 03:44:43 2003]: Show quoted text
> I gather you added a cross-site scripting fix to CGI.pm 2.99. However > the escaping of the default form action causes Mozilla and IE to > submit the form to the wrong location. > > e.g. if the following URL generates a form (with "start_form") but > does not specify an "-action" acttribute: > > http://foo/bar/test.cgi > > then the form will have the following action: > > CGI.pm 2.98 action="/bar/test.cgi" > CGI.pm 2.99 action="%2Fbar%2Ftest.cgi" > > The 2.99 version causes the browser to submit to the form to: > > http://foo/bar/2Fbar%2Ftest.cgi > > I guess the $action=escape($action) at line 1648 is not quite what
you Show quoted text
> want. > > Gavin > > Tested with perl 5.6.0 5.6.1 and 5.8 on Solaris, Linux and OpenBSD


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.