User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4 Build Identifier: Mozilla/5.0 Usage of '\' character (instead of '/') at the end of URL causes removal of CSS styling and formatting. Page is rendered as plain text. Not replicated in Chrome/IE8/Safari(all of which auto-convert '\' character to '/' or implement some other workaround) Another example with different result of discrepancy using same method: www.fusioncharts.com/about\ (photos are not displayed. Only alternate text is displayed) Reproducible: Always Steps to Reproduce: 1.Use '\' at end of above URLs Actual Results: 1. Removal of CSS Styling and formatting 2. Photos are not diplayed. Only alternate text is displayed Expected Results: 1. CSS Styling should be intact regardless of '\' or '/' character 2. Photos should appear regardless of '\' or '/' character
Not a security bug. Not really a bug at all in fact (we're implementing the standard correctly). I'll leave it open in case someone wants to consider this as a compatibility quirk. You're using relative URLs for the css. The algorithm for relative urls is to remove the filename part of the current page and replace it with the relative URL. An exception is made if there is no "filename", denoted by ending with the hierarchical separator '/', in which case the relative part is tacked on. A slash and backslash are not interchangeable, so Firefox thinks "powercharts\" is the filename part. On your server end you could simply not recognize the page if someone uses the backslash (that'll learn 'em), or more friendly, issue a redirect from the backslash page to the forward-slash form. You already have such a redirect in place because http://www.fusioncharts.com/powercharts (no slash at all) redirects to http://www.fusioncharts.com/powercharts/ Doing the same for the backslash would just be another redirect rule of the same type.
Component: Build Config → General
Product: Firefox → Core
QA Contact: build.config → general
> Chrome/IE8/Safari(all of which auto-convert '\' character to '/' or implement > some other workaround) Only on Windows, apparently. Neither Chrome nor Safari have any such behavior on Mac (just tested that), and Chrome doesn't on Linux last I tested; they show the page the same way Firefox does. And on Windows, all that's likely happening is that some system utility is being used for url parsing, and treats '\' like '/'.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.