Open
Bug 225845
Opened 21 years ago
Updated 15 years ago
Unescaping URLs for status bar display could be more intelligent
Categories
(SeaMonkey :: UI Design, defect)
SeaMonkey
UI Design
Tracking
(Not tracked)
NEW
People
(Reporter: jason1, Unassigned)
Details
Attachments
(1 file)
307 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6b) Gecko/20031114 Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6b) Gecko/20031114 When Mozilla displays a URL in the status bar, it blindly unescapes every occurrance of '%XX', without regard for whether doing so is likely to change the meaning of the URL or not. Ostensibly, the unescaping is done primarily for international users, so that non-ASCII characters can be displayed unescaped (see bug 150620). (Or is it just a side effect of some mailto URL logic? -- see bug 60178.) I'll concede that, but it doesn't explain why special characters like %23 (#) and %25 (%) are unescaped. I think that, when two URLs are likely to have different effects, some reasonable attempt should be made to make them be displayed differently in the status bar. Sequences that should always stay escaped include: %23 (#) %25 (%) Sequences that should stay escaped when they occcur before the '?' include: %2F (/) %3F (?) Sequences that should stay escaped when they occur after the '?' include: %26 (&) %3D (=) %2B (+) (unless + is unescaped to ' ', or converted to '%20') %3B (;) (maybe. sometimes used as a substitute for &) Also, if URL ends in a space, maybe it should always be shown escaped. Reproducible: Always Steps to Reproduce: Hover mouse over links on attachment; observe status bar. Actual Results: Status bar indicates that URLs are exactly the same. Expected Results: URLs should be displayed differently in status bar -- certain characters should not be unescaped.
Reporter | ||
Comment 1•21 years ago
|
||
Comment 2•21 years ago
|
||
> Ostensibly, the unescaping is done primarily for international users You make it sound like people are lying to you. They're not. > Or is it just a side effect It's not. > I'll concede that, but it doesn't explain why Because the URL string is just run through a "unescape URL" function that unescapes all %-escapes. > I think that, when two URLs are likely to have different effects What would be the benefit of that (and your other demands) to users?
Reporter | ||
Comment 3•21 years ago
|
||
It's just a suggestion. If the way I phrased this report seemed overly antagonistic, then I apologize. Most users never look at the URL, so it would be of no benefit to most users. But for those users, there's no reason to display the URL at all. For users who do sometimes look at the URL, the benefit would be a more accurate forecast of what will happen if they follow the link.
Summary: Unescaping URLs for status bar display should be more intelligent → Unescaping URLs for status bar display could be more intelligent
Comment 4•21 years ago
|
||
I agree that unescaping URI special and reserved characters (as defined in RFC 2396) in the status bar probably doesn't make much sense. Those characters can change the meaning of the URI, so keeping them escaped is probably a good idea. NOTE: We are talking about the behavior of nsITextToSubURI::unEscapeURIForUI, which is only used when preparing a URI to be displayed in the UI. The solution might be to pass esc_Minimal to NS_UnescapeURL.
Comment 5•21 years ago
|
||
[Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031030] Control chars in URLs are not visible in status bar but should be. URLs like http://fake.host%01@real.host/ are used to exploit the recently discovered IE parsing vulnerability, see http://www.securityfocus.com/archive/1/346948 Related: Bug 122445.
Comment 6•21 years ago
|
||
[Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040113] This is IMO fixed in 1.6, see bug 227176. Related testcases are now OK: Attachment 135620 [details] (Comment 1) Attachment 137366 [details] (Bug 122445, comment 108) Attachment 137564 [details] (Bug 227176, comment 49)
Comment 7•21 years ago
|
||
Sorry, bug 227176 should be bug 228176 in comment 6.
Comment 9•21 years ago
|
||
Agree ... sorry for the spam.
Updated•20 years ago
|
Product: Core → Mozilla Application Suite
Comment 10•19 years ago
|
||
This is an automated message, with ID "auto-resolve01". This bug has had no comments for a long time. Statistically, we have found that bug reports that have not been confirmed by a second user after three months are highly unlikely to be the source of a fix to the code. While your input is very important to us, our resources are limited and so we are asking for your help in focussing our efforts. If you can still reproduce this problem in the latest version of the product (see below for how to obtain a copy) or, for feature requests, if it's not present in the latest version and you still believe we should implement it, please visit the URL of this bug (given at the top of this mail) and add a comment to that effect, giving more reproduction information if you have it. If it is not a problem any longer, you need take no action. If this bug is not changed in any way in the next two weeks, it will be automatically resolved. Thank you for your help in this matter. The latest beta releases can be obtained from: Firefox: http://www.mozilla.org/projects/firefox/ Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html Seamonkey: http://www.mozilla.org/projects/seamonkey/
Comment 11•19 years ago
|
||
If a site is using a URL crafted with those characters, then I would think that the links are not very likely to have much meaning even in their unescaped form.
Comment 12•16 years ago
|
||
I thought this would be fixed in the %00 frenzy from last summer, but the testcase still shows the same links for me with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9pre) Gecko/2008041601 SeaMonkey/2.0a1pre. Should probably be moved to some Core component...
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 98 → All
Hardware: PC → All
Comment 13•16 years ago
|
||
Filter "spam" on "guifeatures-nobody-20080610".
Assignee: guifeatures → nobody
QA Contact: guifeatures
You need to log in
before you can comment on or make changes to this bug.
Description
•