Closed
Bug 470599
Opened 16 years ago
Closed 16 years ago
FF ignores parameters on form ACTION
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: kes-kes, Unassigned)
Details
Attachments
(1 file)
133 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
<form action="userlist.pl?param=value" method=GET>
param=value is ignored
Reproducible: Always
Steps to Reproduce:
<form action="userlist.pl?param=value" method=GET>
<input type=submit value='OK'>
<input type=hidden name=gid value=aaa>
</form>
Actual Results:
When you press OK you go to userlist.pl?gid=aaa
Expected Results:
instead of:
userlist.pl?param=value&gid=aaa
Reporter | ||
Comment 1•16 years ago
|
||
Reporter | ||
Updated•16 years ago
|
Attachment #354008 -
Attachment mime type: text/plain → text/html
Reporter | ||
Updated•16 years ago
|
Attachment #354008 -
Attachment mime type: text/html → text/plain
Reporter | ||
Comment 2•16 years ago
|
||
Comment on attachment 354008 [details]
test case
><form action="attachment.cgi?id=354008¶m=value" method=GET>
><input type=submit value='OK'>
><input type=hidden name=gid value=aaa>
></form>
Reporter | ||
Updated•16 years ago
|
Attachment #354008 -
Attachment mime type: text/plain → text/html
Comment 3•16 years ago
|
||
I get the same result with Seamonkey trunk, Opera 9.6x and IE7.
-> invalid
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 4•16 years ago
|
||
http://www.w3.org/TR/1999/REC-html401-19991224/interact/forms.html#submit-format
NOTICE: "the form data set is *APPENDED* to the URI specified by the *ACTION* attribute"
Standard does not says that you must remove all after '?' mark in URI specefied in ACTION
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Comment 5•16 years ago
|
||
>Expected Results:
>userlist.pl?param=value&gid=aaa
That's wrong (see w3.org url in comment #4)
>get: With the HTTP "get" method, the form data set is appended to the URI >specified by the action attribute (with a question-mark ("?") as separator) and >this new URI is sent to the processing agent.
That would give you :
userlist.pl?param=value?gid=aaa
? is however a reserved character in an URL (see RFC 3986) and
URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
and that's the reason that "param=value" as already existing query parameter gets replaced by a new "gid=aaa" query parameter and since all UA follow this example this is invalid and it makes sense.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 6•16 years ago
|
||
>I get the same result with Seamonkey trunk, Opera 9.6x and IE7.
That behaviour is ugly
http://10.0.16.1/stat/admin/userlist.pl?nMonth=11&nYear=2008&gid=1?test=hello
#cat userlist.pl
use Data::Dumper;
print "Content-type: text/html\n\n";
print "<pre>", Dumper( \%ENV ), "</pre>";
OUTPUT:
$VAR1 = {
'SCRIPT_NAME' => '/stat/admin/userlist.pl',
'SERVER_NAME' => '10.0.16.1',
'SERVER_ADMIN' => 'admin@kes.net.ua',
'HTTP_ACCEPT_ENCODING' => 'gzip,deflate',
'HTTP_CONNECTION' => 'keep-alive',
'REQUEST_METHOD' => 'GET',
'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'SCRIPT_FILENAME' => '/usr/local/virtwww/kes.net.ua/stat/admin/userlist.pl',
'SERVER_SOFTWARE' => 'Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch',
'HTTP_ACCEPT_CHARSET' => 'windows-1251,utf-8;q=0.7,*;q=0.7',
'REMOTE_USER' => 'admin',
'AUTH_TYPE' => 'Digest',
'QUERY_STRING' => 'nMonth=11&nYear=2008&gid=1?test=hello',
'REMOTE_PORT' => '1430',
'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5',
'SERVER_PORT' => '80',
'SERVER_SIGNATURE' => '',
'HTTP_CACHE_CONTROL' => 'max-age=0',
'HTTP_ACCEPT_LANGUAGE' => 'ru,en-us;q=0.7,en;q=0.3',
'HTTP_COOKIE' => 'CGISESSID=fcad902184916b851219ba6051e05922; CGISESSID=L1.32.7e4236d4eb43df9b9eea7b90c4fc5629; phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2229dd5a65dc8bd4d0cf0d841d2c699f09%22%3Bs%3A6%3A%22userid%22%3Bi%3A2%3B%7D; phpbb2mysql_t=a%3A2%3A%7Bi%3A27%3Bi%3A1229765225%3Bi%3A2%3Bi%3A1229794846%3B%7D; phpbb2mysql_sid=4c1a088fc21863dc83fe3755faf89e3e; PHPSESSID=d0dfcff5bf73ea5faea65dfb65faffc6',
'REMOTE_ADDR' => '10.10.16.18',
'HTTP_KEEP_ALIVE' => '300',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'PATH' => '/sbin:/bin:/usr/sbin:/usr/bin',
'REQUEST_URI' => '/stat/admin/userlist.pl?nMonth=11&nYear=2008&gid=1?test=hello',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'SERVER_ADDR' => '10.0.16.1',
'DOCUMENT_ROOT' => '/usr/local/virtwww/kes.net.ua/data',
'HTTP_HOST' => '10.0.16.1',
'UNIQUE_ID' => 'SU4tycHvhCQAAV6ra0cAAAAJ'
};
NOTICE: QUERY_STRING:
'QUERY_STRING' => 'nMonth=11&nYear=2008&gid=1?test=hello',
>That would give you : userlist.pl?param=value?gid=aaa
I do not agree. It must give me : userlist.pl?param=value&gid=aaa
It says that:
>>the form data set is appended to the URI
<form action="test.pl?test=123">
<input type=text name=tst value=aaa>
</form>
>? is however a reserved character in an URL (see RFC 3986) and
>URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
As you point URI in form ACTION is valid URI: "test.pl?test=123". Agree?
As w3.org says: "the form data set is appended to the URI"
URI: test.pl?test=123
FORM DATA: tst=aaa
So I expect URI + FORMDATA: test.pl?test=123&tst=aaa
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Comment 7•16 years ago
|
||
>I do not agree. It must give me : userlist.pl?param=value&gid=aaa
Then read the w3.org link that you posted.
>the form data set is appended to the URI >specified by the action attribute
That would give you :
userlist.pl?param=valuegid=aaa
From where do you get the "&" from ?
The query string syntax is not generically defined and that means there is no standard that query parameters should be separated with "&" or ";", they are are common used as separator, the w3c recommendation is a semicolon ";" but that doesn't matter in this case.
and now read further (!)
>(with a question-mark ("?") as separator)
in short: APPEND WITH A "?" AS SEPARATOR
That would result in : action="userlist.pl?param=value" + "?gid=aaa" = "userlist.pl?param=value?gid=aaa"
and as already explained "?" in an URL is a reserved char in an URL (gen-delims, like "/" or "@").
marking invalid again. Please do not reopen this again, it doesn't matter if you find this ugly, this very logical for the common usage and all other UA agree with this (Opera, IE and I bet webkit does the same). Your solution is completely wrong, it's against the w3C, strictly following the W3C would result in "userlist.pl?param=value?gid=aaa" and that conflicts with the URL/HTTP sheme RFC.
That Firefox tries a get request with 2 "?" if you type it manually means nothing, it can't do anything with the "?" like a "\" because of "Thus, characters in the reserved set are protected from normalization".
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 8•16 years ago
|
||
>The query string syntax is not generically defined and that means there is no
standard that query parameters should be separated with "&" or ";",
You separate query parameters with '&' mark, so you also may use same sign to append form data to form ACTION URI.
In any case w3.org does not says: "remove all characters after '?' sign from form ACTION URI and then append form data". Do so you make broken URI in form ACTION.
So EXPECTED BEHAVIOUR:
ACTION:"userlist.pl?param=value" + FORMDATA:"?gid=aaa" =>
"userlist.pl?param=value?gid=aaa"
At least this will follow standart/recomendation of w3.org.
Developers of FF folows standarts/recomendations of w3.org, does not?
Resolution: INVALID → WONTFIX
Comment 9•16 years ago
|
||
>ACTION:"userlist.pl?param=value" + FORMDATA:"?gid=aaa" =>
>"userlist.pl?param=value?gid=aaa"
>At least this will follow standart/recomendation of w3.org.
Sure but as already explained twice, this would be against the URL sheme RFC.
You are in an undefined area and the current behavior makes more sense, replace the existing query string with a new one.
>Developers of FF folows standarts/recomendations of w3.org, does not?
Sure but in this case the w3c standard violates another one.
wontfix means that there is a bug but this is no bug, this is by design and wanted
Resolution: WONTFIX → INVALID
Reporter | ||
Comment 10•16 years ago
|
||
>Sure but as already explained twice, this would be against the URL sheme RFC.
You are in an undefined area and the current behavior makes more sense, replace
the existing query string with a new one.
The next behaviour will make ever most sense:
ACTION:"userlist.pl?param=value" + FORMDATA: "gid=aaa" => userlist.pl?param=value&gid=aaa
Because of:
1. It do not break ACTION URI. Now you brouke it
2. It will not conflict with current behaviour, because of last parameter win
So if ACTION: "userlist.pl?gid=bbb" and FORM DATA:"gid=aaa" => will produce:
"userlist.pl?gid=bbb&gid=aaa". Later when parsing GET last paramenter will WIN.
3. You follow w3.org recomendation
4. This behaviour gives more flexibility
You need to log in
before you can comment on or make changes to this bug.
Description
•