Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#930 Double escapes ampersands?

7.0
open
nobody
None
1
5 days ago
2014-06-26
No

When looking at the HTML generated by awstats 7.0, I see things like:

action="/stats?config=www.stderr.nl&output=errors404"

which has the ampersand escaped twice. The outer escaping will be interpreted by the browser, but when I submit this particular form, it will still navigate to this url:

http://www.tikatika.nl/stats?config=www.stderr.nl&output=errors404

There should not normally be any need for having ampersands HTML-escaped in urls, only inside HTML/XML.

It seems that this is because urls are constructed using hardcoded & instead of &, like here:

if ($NewLinkParams) { $NewLinkParams = "${NewLinkParams}&"; }

However, when the link is actually put inside the HTML, another escaping pass is done (which is the right spot to do this):

sub XMLEncode {
if ( $BuildReportFormat ne 'xhtml' && $BuildReportFormat ne 'xml' ) {
return shift;
}
my $string = shift;
$string =~ s/&/&/g;
$string =~ s//>/g;
$string =~ s/\"/"/g;
$string =~ s/\'/'/g;
return $string;
}

Here, the escaping only happens for xml and xhtml, but I don't think that distinction is really needed - in html reports stuff should also be escaped.

The reason this doesn't break everything is that the argument parsing accepts both & as well as & as separators:

            $NewLinkParams =~ s/(^|&|&)update(=\w*|$)//i;

Which really looks like a hack around the problem.

This is probably not very trivial to fix, since the problem seems rather spread througout the code. It would be good to clean this up though. Probably also improve the argument parsing code, since I think this style of parsing:

    if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }

Isn't very robust: awstats.pl?noconfig=example.org would also be picked up by this, I think.

Discussion