179535 - Javascript href unescapes url escaped encoding used in literals and String variables

Status: RESOLVED DUPLICATE of bug 167011

(Core :: DOM: Core & HTML, defect)

Description

[Jason Winshell]

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.1) Gecko/20021104 Chimera/0.6
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.1) Gecko/20021104 Chimera/0.6

String literals or String variables containing URL encoded escape sequences (%xx)
are de-escaped when used within Javascript href attribute.  This bug is quite
serious in that one cannot use escaped encoded URLs anywhere within the 
JavaScript href.

Reproducible: Always

Steps to Reproduce:
USE THIS EXAMPLE HTML FILE:

<html>
<body>
<h2>THE PROBLEM</h2>
String literals or String variables containing URL encoded escape sequences (%xx)
are de-escaped when used within Javascript href attribute.  This bug is quite
serious in that one cannot use escaped encoded URLs anywhere within the 
JavaScript href.
<p>
All the Mozilla based browsers, NS 4.x series, IE, and iCab have have this bug.
The bug is not present in Opera or Omniweb.

<pre>
&lt;a href="javascript:window.location='SomePage.html?A=1%3D1"&gt;link&lt;/a&gt;

will be received by the browser as
   GET /SomePage.html?A=1=1
instead of 
   GET /SomePage.html?A=1%3D1
</pre>
<p>
<b>Ackward workaround</b>
</p>
<pre>
If the % is encoded as \x25

&lt;a href="javascript:window.location='SomePage.html?A=1\x253D1"&gt;link&lt;/a&gt;

Then the javascript:href works properly.
<a href="javascript:alert('http://192.168.0.216/index.html?A=1\x253D1')">
\x25 encoded javascript href</a>
</pre>

<h2>Example Javascript href bug</h2>
The string
<pre>
http://192.168.0.216/index.html?A=1%3D1
</pre>
being displayed by js
<pre>
alert('http://192.168.0.216/index.html?A=1%3D1') 
</pre>

being called from an onClick button attribute works properly
<pre>
onClick="alert('http://192.168.0.216/index.html?A=1%3D1')"
</pre>

<br/>
<form>
<input type="button" value="by onClick"
   onClick="alert('http://192.168.0.216/index.html?A=1%3D1')"/>
</form>

whereas if called from Javascript href attribute
<pre>
href="javascript:alert('http://192.168.0.216/index.html?A=1%3D1')"
</pre>

<br>
<a href="javascript:alert('http://192.168.0.216/index.html?A=1%3D1')">javascript
href</a>
<br>
<br>
you will see ?A=1=1 instead of ?A=1%3D1 in alert.



</body>
<html>
Actual Results:  
THE EXAMPLE SHOWS THE EXPECTED RESULTS:


This bug is present in a number of browsers.  I supspect it has to do with a
common javascript engine.

Comment 1

[Greg K.]

Jason, please attach your testcase to this bug by clicking "Create a New
Attachment".

Comment 2

[Jason Winshell]

Attachment: shows javascript href string de-escaping

Comment 3

[Greg K.]

Jason, your workaround may be how JS is supposed to work. Remember that JS has
its' own encoding rules, separate from HTML's.

Comment 4

[Jason Winshell]

If that was the case I would expect identical behavior invoking the Javascript
function from an <input>'s onClick attribute as with an javascript href.  These
should be behave identically. 

i.e.
<input type="button" onClick="alert( 'A=1%3D1' )"/>

and

<a href="Javascript: alert( 'A=1%3D1' )">this</a>

should produce the same result in the alert (the string is received
identically).  They are both chunks of Javascript specified in the attribute of
a tag?

Comment 5

[Simon Fraser [no longer active]]

Any ideas, guys?

Comment 6

[Mike Pinkerton (not reading bugmail)]

if it's a mozilla bug, it ain't our problem.

Comment 7

[Phil Schwartau]

How strings are handled within hrefs is outside the domain
of JavaScript Engine. Reassigning to DOM for further triage -

Comment 8

[Darin Fisher]

hmm.. i wonder if this is related to the "unescape for display purposes" code. 
i wonder, what is sent to the server?  the escaped string, or the unescaped string?

Comment 9

[Boris Zbarsky [:bzbarsky]]

Actually, see bug 104081 for why we unescape javascript: urls.

*** This bug has been marked as a duplicate of 167011 ***