#930 Double escapes ampersands?


When looking at the HTML generated by awstats 7.0, I see things like:


which has the ampersand escaped twice. The outer escaping will be interpreted by the browser, but when I submit this particular form, it will still navigate to this url:


There should not normally be any need for having ampersands HTML-escaped in urls, only inside HTML/XML.

It seems that this is because urls are constructed using hardcoded & instead of &, like here:

if ($NewLinkParams) { $NewLinkParams = "${NewLinkParams}&"; }

However, when the link is actually put inside the HTML, another escaping pass is done (which is the right spot to do this):

sub XMLEncode {
if ( $BuildReportFormat ne 'xhtml' && $BuildReportFormat ne 'xml' ) {
return shift;
my $string = shift;
$string =~ s/&/&/g;
$string =~ s//>/g;
$string =~ s/\"/"/g;
$string =~ s/\'/'/g;
return $string;

Here, the escaping only happens for xml and xhtml, but I don't think that distinction is really needed - in html reports stuff should also be escaped.

The reason this doesn't break everything is that the argument parsing accepts both & as well as & as separators:

            $NewLinkParams =~ s/(^|&|&)update(=\w*|$)//i;

Which really looks like a hack around the problem.

This is probably not very trivial to fix, since the problem seems rather spread througout the code. It would be good to clean this up though. Probably also improve the argument parsing code, since I think this style of parsing:

    if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }

Isn't very robust: awstats.pl?noconfig=example.org would also be picked up by this, I think.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks