Closed Bug 470599 Opened 16 years ago Closed 16 years ago

FF ignores parameters on form ACTION

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: kes-kes, Unassigned)

Details

Attachments

(1 file)

test case
133 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

<form action="userlist.pl?param=value" method=GET>

param=value is ignored

Reproducible: Always

Steps to Reproduce:
<form action="userlist.pl?param=value" method=GET>
<input type=submit value='OK'>
<input type=hidden name=gid value=aaa>
</form>


Actual Results:  
When you press OK you go to userlist.pl?gid=aaa

Expected Results:  
instead of:
userlist.pl?param=value&gid=aaa
Attached file test case 

    
  

        Attachment #354008 -
        Attachment mime type: text/plain → text/html

    
  

        Attachment #354008 -
        Attachment mime type: text/html → text/plain

    
    

    
  
Comment on attachment 354008 [details]
test case

><form action="attachment.cgi?id=354008&param=value" method=GET>
><input type=submit value='OK'>
><input type=hidden name=gid value=aaa>
></form>

    
  

        Attachment #354008 -
        Attachment mime type: text/plain → text/html

    
    

    
  
I get the same result with Seamonkey trunk, Opera 9.6x and IE7.

-> invalid
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID

    
    

    
  
http://www.w3.org/TR/1999/REC-html401-19991224/interact/forms.html#submit-format
NOTICE: "the form data set is *APPENDED* to the URI specified by the *ACTION* attribute"

Standard does not says that you must remove all after '?' mark in URI specefied in ACTION
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---

    
    

    
  
>Expected Results:  
>userlist.pl?param=value&gid=aaa

That's wrong (see w3.org url in comment #4)
>get: With the HTTP "get" method, the form data set is appended to the URI >specified by the action attribute (with a question-mark ("?") as separator) and >this new URI is sent to the processing agent.

That would give you :
userlist.pl?param=value?gid=aaa

? is however a reserved character in an URL (see RFC 3986) and 
URI         = scheme ":" hier-part [ "?" query ] [ "#" fragment ]

and that's the reason that "param=value" as already existing query parameter gets replaced by a new "gid=aaa" query parameter and since all UA follow this example this is invalid and it makes sense.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → INVALID

    
    

    
  
>I get the same result with Seamonkey trunk, Opera 9.6x and IE7.
That behaviour is ugly

http://10.0.16.1/stat/admin/userlist.pl?nMonth=11&nYear=2008&gid=1?test=hello

#cat userlist.pl

use Data::Dumper;
print "Content-type: text/html\n\n";
print "<pre>", Dumper( \%ENV ), "</pre>";

OUTPUT:
$VAR1 = {
          'SCRIPT_NAME' => '/stat/admin/userlist.pl',
          'SERVER_NAME' => '10.0.16.1',
          'SERVER_ADMIN' => 'admin@kes.net.ua',
          'HTTP_ACCEPT_ENCODING' => 'gzip,deflate',
          'HTTP_CONNECTION' => 'keep-alive',
          'REQUEST_METHOD' => 'GET',
          'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
          'SCRIPT_FILENAME' => '/usr/local/virtwww/kes.net.ua/stat/admin/userlist.pl',
          'SERVER_SOFTWARE' => 'Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch',
          'HTTP_ACCEPT_CHARSET' => 'windows-1251,utf-8;q=0.7,*;q=0.7',
          'REMOTE_USER' => 'admin',
          'AUTH_TYPE' => 'Digest',
          'QUERY_STRING' => 'nMonth=11&nYear=2008&gid=1?test=hello',
          'REMOTE_PORT' => '1430',
          'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5',
          'SERVER_PORT' => '80',
          'SERVER_SIGNATURE' => '',
          'HTTP_CACHE_CONTROL' => 'max-age=0',
          'HTTP_ACCEPT_LANGUAGE' => 'ru,en-us;q=0.7,en;q=0.3',
          'HTTP_COOKIE' => 'CGISESSID=fcad902184916b851219ba6051e05922; CGISESSID=L1.32.7e4236d4eb43df9b9eea7b90c4fc5629; phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2229dd5a65dc8bd4d0cf0d841d2c699f09%22%3Bs%3A6%3A%22userid%22%3Bi%3A2%3B%7D; phpbb2mysql_t=a%3A2%3A%7Bi%3A27%3Bi%3A1229765225%3Bi%3A2%3Bi%3A1229794846%3B%7D; phpbb2mysql_sid=4c1a088fc21863dc83fe3755faf89e3e; PHPSESSID=d0dfcff5bf73ea5faea65dfb65faffc6',
          'REMOTE_ADDR' => '10.10.16.18',
          'HTTP_KEEP_ALIVE' => '300',
          'SERVER_PROTOCOL' => 'HTTP/1.1',
          'PATH' => '/sbin:/bin:/usr/sbin:/usr/bin',
          'REQUEST_URI' => '/stat/admin/userlist.pl?nMonth=11&nYear=2008&gid=1?test=hello',
          'GATEWAY_INTERFACE' => 'CGI/1.1',
          'SERVER_ADDR' => '10.0.16.1',
          'DOCUMENT_ROOT' => '/usr/local/virtwww/kes.net.ua/data',
          'HTTP_HOST' => '10.0.16.1',
          'UNIQUE_ID' => 'SU4tycHvhCQAAV6ra0cAAAAJ'
        };


NOTICE: QUERY_STRING:
'QUERY_STRING' => 'nMonth=11&nYear=2008&gid=1?test=hello',

>That would give you : userlist.pl?param=value?gid=aaa
I do not agree. It must give me : userlist.pl?param=value&gid=aaa

It says that:
>>the form data set is appended to the URI
<form action="test.pl?test=123">
<input type=text name=tst value=aaa>
</form>


>? is however a reserved character in an URL (see RFC 3986) and 
>URI         = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
As you point URI in form ACTION is valid URI:  "test.pl?test=123". Agree?
As w3.org says: "the form data set is appended to the URI"
URI: test.pl?test=123
FORM DATA: tst=aaa
So I expect URI + FORMDATA: test.pl?test=123&tst=aaa
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---

    
    

    
  
>I do not agree. It must give me : userlist.pl?param=value&gid=aaa
Then read the w3.org link that you posted.

>the form data set is appended to the URI >specified by the action attribute 
That would give you :
userlist.pl?param=valuegid=aaa
From where do you get the "&" from ?
The query string syntax is not generically defined and that means there is no standard that query parameters should be separated with "&" or ";", they are are common used as separator, the w3c recommendation is a semicolon ";" but that doesn't matter in this case.

and now read further (!)
>(with a question-mark ("?") as separator)
in short: APPEND WITH A "?" AS SEPARATOR  
That would result in : action="userlist.pl?param=value" + "?gid=aaa" = "userlist.pl?param=value?gid=aaa"

and as already explained "?" in an URL is a reserved char in an URL (gen-delims, like "/" or "@").

marking invalid again. Please do not reopen this again, it doesn't matter if you find this ugly, this very logical for the common usage and all other UA agree with this (Opera, IE and I bet webkit does the same). Your solution is completely wrong, it's against the w3C, strictly following the W3C would result in "userlist.pl?param=value?gid=aaa" and that conflicts with the URL/HTTP sheme RFC.
That Firefox tries a get request with 2 "?" if you type it manually means nothing, it can't do anything with the "?" like a "\" because of "Thus, characters in the reserved set are protected from normalization".
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → INVALID

    
    

    
  
>The query string syntax is not generically defined and that means there is no
standard that query parameters should be separated with "&" or ";",
You separate query parameters with '&' mark, so you also may use same sign to append form data to form ACTION URI.

In any case w3.org does not says: "remove all characters after '?' sign from form ACTION URI and then append form data". Do so you make broken URI in form ACTION.

So EXPECTED BEHAVIOUR:
ACTION:"userlist.pl?param=value" + FORMDATA:"?gid=aaa" =>
"userlist.pl?param=value?gid=aaa"
At least this will follow standart/recomendation of w3.org. 

Developers of FF folows standarts/recomendations of w3.org, does not?
Resolution: INVALID → WONTFIX

    
    

    
  
>ACTION:"userlist.pl?param=value" + FORMDATA:"?gid=aaa" =>
>"userlist.pl?param=value?gid=aaa"
>At least this will follow standart/recomendation of w3.org. 

Sure but as already explained twice, this would be against the URL sheme RFC.
You are in an undefined area and the current behavior makes more sense, replace the existing query string with a new one.

>Developers of FF folows standarts/recomendations of w3.org, does not?
Sure but in this case the w3c standard violates another one.

wontfix means that there is a bug but this is no bug, this is by design and wanted
Resolution: WONTFIX → INVALID

    
    

    
  
>Sure but as already explained twice, this would be against the URL sheme RFC.
You are in an undefined area and the current behavior makes more sense, replace
the existing query string with a new one.

The next behaviour will make ever most sense:
ACTION:"userlist.pl?param=value" + FORMDATA: "gid=aaa"  => userlist.pl?param=value&gid=aaa

Because of: 
1. It do not break ACTION URI. Now you brouke it
2. It will not conflict with current behaviour, because of last parameter win
So if ACTION: "userlist.pl?gid=bbb" and FORM DATA:"gid=aaa" => will produce:
"userlist.pl?gid=bbb&gid=aaa". Later when parsing GET last paramenter will WIN.
3. You follow w3.org recomendation
4. This behaviour gives more flexibility

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: