Closed Bug 470599 Opened 16 years ago Closed 16 years ago

FF ignores parameters on form ACTION

Categories

(Firefox :: General, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED INVALID

People

(Reporter: kes-kes, Unassigned)

Details

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 <form action="userlist.pl?param=value" method=GET> param=value is ignored Reproducible: Always Steps to Reproduce: <form action="userlist.pl?param=value" method=GET> <input type=submit value='OK'> <input type=hidden name=gid value=aaa> </form> Actual Results: When you press OK you go to userlist.pl?gid=aaa Expected Results: instead of: userlist.pl?param=value&gid=aaa
Attached file test case
Attachment #354008 - Attachment mime type: text/plain → text/html
Attachment #354008 - Attachment mime type: text/html → text/plain
Comment on attachment 354008 [details] test case ><form action="attachment.cgi?id=354008&param=value" method=GET> ><input type=submit value='OK'> ><input type=hidden name=gid value=aaa> ></form>
Attachment #354008 - Attachment mime type: text/plain → text/html
I get the same result with Seamonkey trunk, Opera 9.6x and IE7. -> invalid
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
http://www.w3.org/TR/1999/REC-html401-19991224/interact/forms.html#submit-format NOTICE: "the form data set is *APPENDED* to the URI specified by the *ACTION* attribute" Standard does not says that you must remove all after '?' mark in URI specefied in ACTION
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
>Expected Results: >userlist.pl?param=value&gid=aaa That's wrong (see w3.org url in comment #4) >get: With the HTTP "get" method, the form data set is appended to the URI >specified by the action attribute (with a question-mark ("?") as separator) and >this new URI is sent to the processing agent. That would give you : userlist.pl?param=value?gid=aaa ? is however a reserved character in an URL (see RFC 3986) and URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ] and that's the reason that "param=value" as already existing query parameter gets replaced by a new "gid=aaa" query parameter and since all UA follow this example this is invalid and it makes sense.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → INVALID
>I get the same result with Seamonkey trunk, Opera 9.6x and IE7. That behaviour is ugly http://10.0.16.1/stat/admin/userlist.pl?nMonth=11&nYear=2008&gid=1?test=hello #cat userlist.pl use Data::Dumper; print "Content-type: text/html\n\n"; print "<pre>", Dumper( \%ENV ), "</pre>"; OUTPUT: $VAR1 = { 'SCRIPT_NAME' => '/stat/admin/userlist.pl', 'SERVER_NAME' => '10.0.16.1', 'SERVER_ADMIN' => 'admin@kes.net.ua', 'HTTP_ACCEPT_ENCODING' => 'gzip,deflate', 'HTTP_CONNECTION' => 'keep-alive', 'REQUEST_METHOD' => 'GET', 'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'SCRIPT_FILENAME' => '/usr/local/virtwww/kes.net.ua/stat/admin/userlist.pl', 'SERVER_SOFTWARE' => 'Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch', 'HTTP_ACCEPT_CHARSET' => 'windows-1251,utf-8;q=0.7,*;q=0.7', 'REMOTE_USER' => 'admin', 'AUTH_TYPE' => 'Digest', 'QUERY_STRING' => 'nMonth=11&nYear=2008&gid=1?test=hello', 'REMOTE_PORT' => '1430', 'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5', 'SERVER_PORT' => '80', 'SERVER_SIGNATURE' => '', 'HTTP_CACHE_CONTROL' => 'max-age=0', 'HTTP_ACCEPT_LANGUAGE' => 'ru,en-us;q=0.7,en;q=0.3', 'HTTP_COOKIE' => 'CGISESSID=fcad902184916b851219ba6051e05922; CGISESSID=L1.32.7e4236d4eb43df9b9eea7b90c4fc5629; phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2229dd5a65dc8bd4d0cf0d841d2c699f09%22%3Bs%3A6%3A%22userid%22%3Bi%3A2%3B%7D; phpbb2mysql_t=a%3A2%3A%7Bi%3A27%3Bi%3A1229765225%3Bi%3A2%3Bi%3A1229794846%3B%7D; phpbb2mysql_sid=4c1a088fc21863dc83fe3755faf89e3e; PHPSESSID=d0dfcff5bf73ea5faea65dfb65faffc6', 'REMOTE_ADDR' => '10.10.16.18', 'HTTP_KEEP_ALIVE' => '300', 'SERVER_PROTOCOL' => 'HTTP/1.1', 'PATH' => '/sbin:/bin:/usr/sbin:/usr/bin', 'REQUEST_URI' => '/stat/admin/userlist.pl?nMonth=11&nYear=2008&gid=1?test=hello', 'GATEWAY_INTERFACE' => 'CGI/1.1', 'SERVER_ADDR' => '10.0.16.1', 'DOCUMENT_ROOT' => '/usr/local/virtwww/kes.net.ua/data', 'HTTP_HOST' => '10.0.16.1', 'UNIQUE_ID' => 'SU4tycHvhCQAAV6ra0cAAAAJ' }; NOTICE: QUERY_STRING: 'QUERY_STRING' => 'nMonth=11&nYear=2008&gid=1?test=hello', >That would give you : userlist.pl?param=value?gid=aaa I do not agree. It must give me : userlist.pl?param=value&gid=aaa It says that: >>the form data set is appended to the URI <form action="test.pl?test=123"> <input type=text name=tst value=aaa> </form> >? is however a reserved character in an URL (see RFC 3986) and >URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ] As you point URI in form ACTION is valid URI: "test.pl?test=123". Agree? As w3.org says: "the form data set is appended to the URI" URI: test.pl?test=123 FORM DATA: tst=aaa So I expect URI + FORMDATA: test.pl?test=123&tst=aaa
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
>I do not agree. It must give me : userlist.pl?param=value&gid=aaa Then read the w3.org link that you posted. >the form data set is appended to the URI >specified by the action attribute That would give you : userlist.pl?param=valuegid=aaa From where do you get the "&" from ? The query string syntax is not generically defined and that means there is no standard that query parameters should be separated with "&" or ";", they are are common used as separator, the w3c recommendation is a semicolon ";" but that doesn't matter in this case. and now read further (!) >(with a question-mark ("?") as separator) in short: APPEND WITH A "?" AS SEPARATOR That would result in : action="userlist.pl?param=value" + "?gid=aaa" = "userlist.pl?param=value?gid=aaa" and as already explained "?" in an URL is a reserved char in an URL (gen-delims, like "/" or "@"). marking invalid again. Please do not reopen this again, it doesn't matter if you find this ugly, this very logical for the common usage and all other UA agree with this (Opera, IE and I bet webkit does the same). Your solution is completely wrong, it's against the w3C, strictly following the W3C would result in "userlist.pl?param=value?gid=aaa" and that conflicts with the URL/HTTP sheme RFC. That Firefox tries a get request with 2 "?" if you type it manually means nothing, it can't do anything with the "?" like a "\" because of "Thus, characters in the reserved set are protected from normalization".
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → INVALID
>The query string syntax is not generically defined and that means there is no standard that query parameters should be separated with "&" or ";", You separate query parameters with '&' mark, so you also may use same sign to append form data to form ACTION URI. In any case w3.org does not says: "remove all characters after '?' sign from form ACTION URI and then append form data". Do so you make broken URI in form ACTION. So EXPECTED BEHAVIOUR: ACTION:"userlist.pl?param=value" + FORMDATA:"?gid=aaa" => "userlist.pl?param=value?gid=aaa" At least this will follow standart/recomendation of w3.org. Developers of FF folows standarts/recomendations of w3.org, does not?
Resolution: INVALID → WONTFIX
>ACTION:"userlist.pl?param=value" + FORMDATA:"?gid=aaa" => >"userlist.pl?param=value?gid=aaa" >At least this will follow standart/recomendation of w3.org. Sure but as already explained twice, this would be against the URL sheme RFC. You are in an undefined area and the current behavior makes more sense, replace the existing query string with a new one. >Developers of FF folows standarts/recomendations of w3.org, does not? Sure but in this case the w3c standard violates another one. wontfix means that there is a bug but this is no bug, this is by design and wanted
Resolution: WONTFIX → INVALID
>Sure but as already explained twice, this would be against the URL sheme RFC. You are in an undefined area and the current behavior makes more sense, replace the existing query string with a new one. The next behaviour will make ever most sense: ACTION:"userlist.pl?param=value" + FORMDATA: "gid=aaa" => userlist.pl?param=value&gid=aaa Because of: 1. It do not break ACTION URI. Now you brouke it 2. It will not conflict with current behaviour, because of last parameter win So if ACTION: "userlist.pl?gid=bbb" and FORM DATA:"gid=aaa" => will produce: "userlist.pl?gid=bbb&gid=aaa". Later when parsing GET last paramenter will WIN. 3. You follow w3.org recomendation 4. This behaviour gives more flexibility
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: