Open Bug 1249637 Opened 8 years ago Updated 2 years ago

web-based protocol handlers double url encode url which already has url encoding

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Version:
44 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: eibbiezza, Unassigned)

Details

Attachments

(2 files)

index.html
154 bytes, text/html
Details
Bug 1249637 - Prevent double URL encoding in web-based protocol handlers
48 bytes, text/x-phabricator-request
Details | Review 
If user clicks on the following link (url encoded version of irc://irc.gnome.org/#gtk+):
<a href="irc://irc.gnome.org/%23gtk%2B" class="irc">#gtk+</a>

(as seen on http://www.gtk.org/development.php)

The web-based protocol handler which is registered for irc:// links gets passed:
irc%3A%2F%2Firc.gnome.org%2F%2523gtk%252B
rather than:
irc%3A%2F%2Firc.gnome.org%2F%23gtk%2B

That is, part of the URL is double url encoded. Instead, Firefox should url decode the anchor's href prior to passing it to be fully url encoded for the web-based protocol handler.

Reference https://developer.mozilla.org/en-US/docs/Web-based_protocol_handlers
Attached file index.html 
Both work with FF44 on Win 7.
Component: Untriaged → File Handling
Loic,

Based upon what do you conclude that it's working correctly?

Clicking on those two different links results in different values being passed to Firefox's default irc handler (mibbit):
https://client00.chat.mibbit.com/?url=irc%3A%2F%2Firc.gnome.org%2F%2523gtk%252B
https://client01.chat.mibbit.com/?url=irc%3A%2F%2Firc.gnome.org%2F%23gtk%2B

It's true that (*in mibbit's case*) this doesn't make a functional difference, because they've obviously compensated for the double encoding by double decoding, but the fact remains that Firefox is doubling the encoding the begin with, and not all irc handlers will have compensated for this (nor should they have to), for example, KiwiIRC.

If you'd like to test KiwiIRC:
Go to https://kiwiirc.com/client
Choose a nickname and connect
Click the Settings (gears) icon in the upper right
Select "Make Kiwi my default IRC client"
(then obviously test each of the links in your attachment)

The first link fills the "Channel" field with "#%23gtk%2B" rather than "#gtk+", while the second link fills the "Channel" with "##gtk+" (note: they're aware of the double hash issue (an unrelated issue), which has been fixed in the development branch and will be brought live within about a week).
Flags: needinfo?(epinal99-bugzilla2)
To clarify, the mibbit URLs noted above are to compare by looking at the URLs themselves, not by following the links. The first one has double encoding.
Flags: needinfo?(epinal99-bugzilla2)

This is a problem for some web-based mailto:-handlers (e.g. Nextcloud)
when the URL already uses URL-encoding (e.g. in an attempt to hide
email-addresses from very naive web scrapers).

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: