New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: Redirect HTML encodes path rather than URL encoding #14115
Comments
CC @bradfitz |
I think the code is fine as-is. We're not interpreting the Location string the user sends. We're just wrapping it in HTML, which is working as designed. I think the backslash issue you're seeing is because your shell is interpreting \ as a single , which then works its way through the functions and the HTML correctly. I guess I just don't see the problem here. |
The issue is that html encoding is being used where url encoding is supposed to be. Most modern browsers can cope with an incorrectly escaped |
Why are we still talking about an "incorrectly escaped It's okay to write func main() {
log.Fatal(http.ListenAndServe(":8080", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/" {
http.Redirect(w, r, "/<", http.StatusFound)
return
}
fmt.Fprintf(w, "Got a %#v\n\n%#v", r, r.URL)
})))
} I don't want to add more URL parsing in this code. That will only open the door to new bugs. The escaping is fine as-is. It's HTML-escaped in an HTML attribute. It doesn't need to be URL escaped. The Unless you can find an example that actually produces invalid HTML or invalid HTTP and is thus a security problem of some sort, I'm not inclined to change anything. |
Go Version: go version go1.5.1 darwin/amd64
OS X Yosemite: 10.10.5
In the http.Redirect method, there is a fallback for browsers that don't support 301/307 redirects by providing them with a link. Currently the path is encoded using htmlEscape
https://github.com/golang/go/blame/master/src/net/http/server.go#L1716
This causes
urlStr
to not be encoded properly when output as shown below:Example code:
Example Output:
This is putting a outputting
<
as<
rather than%3C
as well as adding an unescaped\
at the end of the path causing it to escape the"
that comes after it.This could be fixed with something along the lines of:
at https://github.com/golang/go/blame/master/src/net/http/server.go#L1716
Hope this helps
Martin Lenord
The text was updated successfully, but these errors were encountered: