[TYPO3-core] RFC #12990 : referrer in felogin form is not encoded correctly

Jigal van Hemert jigal at xs4all.nl
Sun May 16 22:49:04 CEST 2010


Benjamin Mack wrote:
> just by reading: the function is "htmlspecialchars()" not 
> "htmlspecialchar()". 

Auch!
Note to self: write 100 times "I shall not save files after testing them"

> Also, any steps on how to produce this obvious one quickly?

On the English list someone had TYPO3 installed in a subdirectory '/cms' 
and felogin with referrer redirect. The redirect went to:
	/cms/http://www.mydomain.com/cms/index.php?id=12

After removing the rawurlencode() it worked.

However coming from a URL with extra query parameters there was an '&' 
in the url, so the page would not validate. htmlspecialchars() was needed.

> Steffen K: I think there was a recent RFC (two months ago or so) where 
> rawurlencode() was introduced. Any reasons why we used "rawurlencode()" 
> and not HSC?

The rawurlencode() got in with #10327 on 7-12-2009 with rev 6638 (4_3) 
and 6639 (trunk) (v5 of the patch). It was first introduced in v3 on 
22-9-2009. Susanne spotted the problem on 13-10-2009, but it was not 
attributed to the rawurlencode() and the conclusion was "it shows that 
the redirect basically works :-)"

And attached version 2 with the correct spelling.

@Benni: can this get your vote to get it committed?

-- 
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 12990_trunk_v2.patch
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100516/7556e08a/attachment.asc>


More information about the TYPO3-team-core mailing list