Re: [Exist-open] Ampersand Entities in Query String Causing Problems

[Michael S. <so...@if...>]

John - the XML entities aren't supposed to be decoded when found in URLs:
the format of URLs is governed by the HTTP standard, in which characters may
be encoded using hexadecimal such as %26 for & (also + for space, oddly).
XML entities are only recognized in the context of an XML document.

So: exist is doing the right thing in the case you describe.

-Mike

> -----Original Message-----
> From: John Craft [mailto:jc...@jo...] 
> Sent: Thursday, June 04, 2009 6:21 PM
> To: Exi...@li...
> Subject: [Exist-open] Ampersand Entities in Query String 
> Causing Problems
> 
> All-
> 
> I know this has been discussed before, but I think I have run 
> across a bug in the way eXist handles entitized ampersands in 
> query strings.  For example, if I make the following standard 
> request, everything works
> fine:
> 
> http://localhost:8080/exist/xquery/QuerystringTest.xqy?1=a&2=b&3=c
> 
> However, when the ampersands are converted to entities (see 
> URL below), a simple XQuery won't read in the parameters correctly.
> 
> http://localhost:8080/exist/xquery/QuerystringTest.xqy?1=a&amp
;2=b&3
> =c
> 
> With the URL above, eXist treats the first "&" character as a 
> delimiter and thinks the second parameter is "amp;2" when it 
> should just be "2"
> ("amp;3" as the third parameter, etc).  I tested this with 
> the following below.  If you use entities for ampersands and 
> execute the XQuery, you'll see the incorrect parameter names.
> 
> xquery version "1.0";
> 
> declare namespace request = "http://exist-db.org/xquery/request";
> 
> declare option exist:serialize "method=xhtml indent=yes 
> omit-xml-declaration=yes 
> doctype-public=-//W3C//DTD HTML 4.01//EN
> doctype-system=http://www.w3.org/TR/html4/strict.dtd";
> 
> <html>
> <head>
>     <meta http-equiv="Content-Type" content="text/html; 
> charset=UTF-8"/> </head> <body> <ul> {
>     for $param in request:get-parameter-names() 
>     return
>         <li>{$param}</li>
> }
> </ul>
> </body>
> </html>
> 
> I also did a simple test using the admin section of eXist.  
> For example, if you browse a collection through the web 
> interface and change the ampersand in the query string to an 
> entity, the admin page won't find the right collection:
> 
> http://localhost:8080/exist/admin/admin.xql?panel=browse&amp;c
ollection=
> /db/books
> 
> When I make the request above, the admin page lists the 
> contents of the "/db" collection rather than "/db/books".  
> The behavior makes sense given the code on line 21 of browse.xqm:
> 
> let $colName := request:get-parameter("collection", "/db") return ...
> 
> Clearly, eXist isn't finding the collection "/db/books" 
> because it thinks the second query string parameter is 
> "amp;collection" instead of "collection".
> 
> I have tested this in IE8 and FireFox 3 and against eXist versions
> 1.3.0.8806 and 1.2.4.8072.
> 
> If I have missed something obvious or if there is a 
> workaround, please let me know.  Could this possibly be an 
> issue with Jetty?
> 
> Thanks.
> 
> John Craft
> 
> 
> 
> --------------------------------------------------------------
> ----------------
> OpenSolaris 2009.06 is a cutting edge operating system for 
> enterprises looking to deploy the next generation of Solaris 
> that includes the latest innovations from Sun and the 
> OpenSource community. Download a copy and enjoy capabilities 
> such as Networking, Storage and Virtualization. 
> Go to: http://p.sf.net/sfu/opensolaris-get
> _______________________________________________
> Exist-open mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-open
>