FF ignores parameters on form ACTION

RESOLVED INVALID

Status

()

--
major
RESOLVED INVALID
10 years ago
10 years ago

People

(Reporter: kes-kes, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

<form action="userlist.pl?param=value" method=GET>

param=value is ignored

Reproducible: Always

Steps to Reproduce:
<form action="userlist.pl?param=value" method=GET>
<input type=submit value='OK'>
<input type=hidden name=gid value=aaa>
</form>


Actual Results:  
When you press OK you go to userlist.pl?gid=aaa

Expected Results:  
instead of:
userlist.pl?param=value&gid=aaa
(Reporter)

Comment 1

10 years ago
Created attachment 354008 [details]
test case
(Reporter)

Updated

10 years ago
Attachment #354008 - Attachment mime type: text/plain → text/html
(Reporter)

Updated

10 years ago
Attachment #354008 - Attachment mime type: text/html → text/plain
(Reporter)

Comment 2

10 years ago
Comment on attachment 354008 [details]
test case

><form action="attachment.cgi?id=354008&param=value" method=GET>
><input type=submit value='OK'>
><input type=hidden name=gid value=aaa>
></form>
(Reporter)

Updated

10 years ago
Attachment #354008 - Attachment mime type: text/plain → text/html
I get the same result with Seamonkey trunk, Opera 9.6x and IE7.

-> invalid
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INVALID
(Reporter)

Comment 4

10 years ago
http://www.w3.org/TR/1999/REC-html401-19991224/interact/forms.html#submit-format
NOTICE: "the form data set is *APPENDED* to the URI specified by the *ACTION* attribute"

Standard does not says that you must remove all after '?' mark in URI specefied in ACTION
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
>Expected Results:  
>userlist.pl?param=value&gid=aaa

That's wrong (see w3.org url in comment #4)
>get: With the HTTP "get" method, the form data set is appended to the URI >specified by the action attribute (with a question-mark ("?") as separator) and >this new URI is sent to the processing agent.

That would give you :
userlist.pl?param=value?gid=aaa

? is however a reserved character in an URL (see RFC 3986) and 
URI         = scheme ":" hier-part [ "?" query ] [ "#" fragment ]

and that's the reason that "param=value" as already existing query parameter gets replaced by a new "gid=aaa" query parameter and since all UA follow this example this is invalid and it makes sense.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago10 years ago
Resolution: --- → INVALID
(Reporter)

Comment 6

10 years ago
>I get the same result with Seamonkey trunk, Opera 9.6x and IE7.
That behaviour is ugly

http://10.0.16.1/stat/admin/userlist.pl?nMonth=11&nYear=2008&gid=1?test=hello

#cat userlist.pl

use Data::Dumper;
print "Content-type: text/html\n\n";
print "<pre>", Dumper( \%ENV ), "</pre>";

OUTPUT:
$VAR1 = {
          'SCRIPT_NAME' => '/stat/admin/userlist.pl',
          'SERVER_NAME' => '10.0.16.1',
          'SERVER_ADMIN' => 'admin@kes.net.ua',
          'HTTP_ACCEPT_ENCODING' => 'gzip,deflate',
          'HTTP_CONNECTION' => 'keep-alive',
          'REQUEST_METHOD' => 'GET',
          'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
          'SCRIPT_FILENAME' => '/usr/local/virtwww/kes.net.ua/stat/admin/userlist.pl',
          'SERVER_SOFTWARE' => 'Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch',
          'HTTP_ACCEPT_CHARSET' => 'windows-1251,utf-8;q=0.7,*;q=0.7',
          'REMOTE_USER' => 'admin',
          'AUTH_TYPE' => 'Digest',
          'QUERY_STRING' => 'nMonth=11&nYear=2008&gid=1?test=hello',
          'REMOTE_PORT' => '1430',
          'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5',
          'SERVER_PORT' => '80',
          'SERVER_SIGNATURE' => '',
          'HTTP_CACHE_CONTROL' => 'max-age=0',
          'HTTP_ACCEPT_LANGUAGE' => 'ru,en-us;q=0.7,en;q=0.3',
          'HTTP_COOKIE' => 'CGISESSID=fcad902184916b851219ba6051e05922; CGISESSID=L1.32.7e4236d4eb43df9b9eea7b90c4fc5629; phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2229dd5a65dc8bd4d0cf0d841d2c699f09%22%3Bs%3A6%3A%22userid%22%3Bi%3A2%3B%7D; phpbb2mysql_t=a%3A2%3A%7Bi%3A27%3Bi%3A1229765225%3Bi%3A2%3Bi%3A1229794846%3B%7D; phpbb2mysql_sid=4c1a088fc21863dc83fe3755faf89e3e; PHPSESSID=d0dfcff5bf73ea5faea65dfb65faffc6',
          'REMOTE_ADDR' => '10.10.16.18',
          'HTTP_KEEP_ALIVE' => '300',
          'SERVER_PROTOCOL' => 'HTTP/1.1',
          'PATH' => '/sbin:/bin:/usr/sbin:/usr/bin',
          'REQUEST_URI' => '/stat/admin/userlist.pl?nMonth=11&nYear=2008&gid=1?test=hello',
          'GATEWAY_INTERFACE' => 'CGI/1.1',
          'SERVER_ADDR' => '10.0.16.1',
          'DOCUMENT_ROOT' => '/usr/local/virtwww/kes.net.ua/data',
          'HTTP_HOST' => '10.0.16.1',
          'UNIQUE_ID' => 'SU4tycHvhCQAAV6ra0cAAAAJ'
        };


NOTICE: QUERY_STRING:
'QUERY_STRING' => 'nMonth=11&nYear=2008&gid=1?test=hello',

>That would give you : userlist.pl?param=value?gid=aaa
I do not agree. It must give me : userlist.pl?param=value&gid=aaa

It says that:
>>the form data set is appended to the URI
<form action="test.pl?test=123">
<input type=text name=tst value=aaa>
</form>


>? is however a reserved character in an URL (see RFC 3986) and 
>URI         = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
As you point URI in form ACTION is valid URI:  "test.pl?test=123". Agree?
As w3.org says: "the form data set is appended to the URI"
URI: test.pl?test=123
FORM DATA: tst=aaa
So I expect URI + FORMDATA: test.pl?test=123&tst=aaa
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
>I do not agree. It must give me : userlist.pl?param=value&gid=aaa
Then read the w3.org link that you posted.

>the form data set is appended to the URI >specified by the action attribute 
That would give you :
userlist.pl?param=valuegid=aaa
From where do you get the "&" from ?
The query string syntax is not generically defined and that means there is no standard that query parameters should be separated with "&" or ";", they are are common used as separator, the w3c recommendation is a semicolon ";" but that doesn't matter in this case.

and now read further (!)
>(with a question-mark ("?") as separator)
in short: APPEND WITH A "?" AS SEPARATOR  
That would result in : action="userlist.pl?param=value" + "?gid=aaa" = "userlist.pl?param=value?gid=aaa"

and as already explained "?" in an URL is a reserved char in an URL (gen-delims, like "/" or "@").

marking invalid again. Please do not reopen this again, it doesn't matter if you find this ugly, this very logical for the common usage and all other UA agree with this (Opera, IE and I bet webkit does the same). Your solution is completely wrong, it's against the w3C, strictly following the W3C would result in "userlist.pl?param=value?gid=aaa" and that conflicts with the URL/HTTP sheme RFC.
That Firefox tries a get request with 2 "?" if you type it manually means nothing, it can't do anything with the "?" like a "\" because of "Thus, characters in the reserved set are protected from normalization".
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago10 years ago
Resolution: --- → INVALID
(Reporter)

Comment 8

10 years ago
>The query string syntax is not generically defined and that means there is no
standard that query parameters should be separated with "&" or ";",
You separate query parameters with '&' mark, so you also may use same sign to append form data to form ACTION URI.

In any case w3.org does not says: "remove all characters after '?' sign from form ACTION URI and then append form data". Do so you make broken URI in form ACTION.

So EXPECTED BEHAVIOUR:
ACTION:"userlist.pl?param=value" + FORMDATA:"?gid=aaa" =>
"userlist.pl?param=value?gid=aaa"
At least this will follow standart/recomendation of w3.org. 

Developers of FF folows standarts/recomendations of w3.org, does not?
Resolution: INVALID → WONTFIX
>ACTION:"userlist.pl?param=value" + FORMDATA:"?gid=aaa" =>
>"userlist.pl?param=value?gid=aaa"
>At least this will follow standart/recomendation of w3.org. 

Sure but as already explained twice, this would be against the URL sheme RFC.
You are in an undefined area and the current behavior makes more sense, replace the existing query string with a new one.

>Developers of FF folows standarts/recomendations of w3.org, does not?
Sure but in this case the w3c standard violates another one.

wontfix means that there is a bug but this is no bug, this is by design and wanted
Resolution: WONTFIX → INVALID
(Reporter)

Comment 10

10 years ago
>Sure but as already explained twice, this would be against the URL sheme RFC.
You are in an undefined area and the current behavior makes more sense, replace
the existing query string with a new one.

The next behaviour will make ever most sense:
ACTION:"userlist.pl?param=value" + FORMDATA: "gid=aaa"  => userlist.pl?param=value&gid=aaa

Because of: 
1. It do not break ACTION URI. Now you brouke it
2. It will not conflict with current behaviour, because of last parameter win
So if ACTION: "userlist.pl?gid=bbb" and FORM DATA:"gid=aaa" => will produce:
"userlist.pl?gid=bbb&gid=aaa". Later when parsing GET last paramenter will WIN.
3. You follow w3.org recomendation
4. This behaviour gives more flexibility
You need to log in before you can comment on or make changes to this bug.