Closed Bug 632799 Opened 14 years ago Closed 14 years ago

Browser is unable to have an href with a querystring parameter of amp, lt, gt, etc.

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jeremy.long, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 When constructing an href attribute the browser incorrectly submits the URL. Here is the example: <a href="products.html?page=details&amp=polk">View Polk Amp</a> If one clicked on the above link the browser will submit the URL as: products.html?page=details&=polk Reproducible: Always Steps to Reproduce: 1. create a page containing a URL where the querystring within an HREF contains HTML Entity Encoded data. Example: <a href="products.html?page=details&amp=polk">View Polk Amp</a> 2. View page in browser 3. Click on "View Polk Amp" link 4. Browser loads the URL: products.html?page=details&=polk Actual Results: The browser drops the "amp" query string parameter Expected Results: The browser should have kept the "amp" query string parameter. This issue is bigger than just incorrect results in attempting to browse a site that contains an "amp", "lt", "gt", etc. query string parameters. The fact that the HREF is HTML decoded creates additional edge cases for XSS vulnerabilities: for instance if you HTML encode the "javascript:" and place this into an href this will still be handed to the javascript interpreter: <a href="&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#58;%61%6C%65%72%74%28%27%78%73%73%27%29">click me to see an alert</a> Lastly, IE contains the same functionality - however, Chrome requires the semi-colon. Not sure if this is a spec issue or just browsers being very lax to be able to handle more pages gracefully. Either way, regardless of the security the fact that you can't have a querystring parameter of "amp" is an issue.
You are writing HTML. HTML entities such as &amp; and &lt; are parsed per spec here. In order to do what you want, you need to escape the ampersand like this: <a href="products.html?page=details&amp;amp=polk">
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Component: General → HTML: Parser
Product: Firefox → Core
QA Contact: general → parser
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.