Item6022: ENCODE{} treats % as safe character
Priority: Urgent
Current State: Closed
Released In:
Target Release: patch
Applies To: Engine
Component: TWiki.pm
Branches:
The %-Sign (per cent) is according to RFC 1738 unsafe. (2.2. URL Character Encoding Issues: The character "%" is unsafe because it is used for encodings of other characters.)
But the TWiki Variable %ENCODE{}% treats % (per cent) as a safe letter instead of transforming it to %25.
Test
Test:
- ?value=%ENCODE{"%9600" type="url"}%
results in:
- ?value=%259600 (results in 4.22 as %9600)
-
value
will be seen as -00
expected:
- ?value=%259600
-
value
will be seen as %9600
proposed patch:
/lib/TWiki.pm
2403c2403
< $text =~ s/([^0-9a-zA-Z-_.:~!*'\/%])/'%'.sprintf('%02x',ord($1))/ge;
---
> $text =~ s/([^0-9a-zA-Z-_.:~!*'\/])/'%'.sprintf('%02x',ord($1))/ge;
--
TWiki:Main/AndreLichtsteiner - 25 Sep 2008
Elevating to urgent.
Any voices against Andre's conclusions? Things that will break?
Otherwise I will commit the patch. Will wait a few days
--
TWiki:Main.KennethLavrsen - 29 Sep 2008
sorry, couldn't wait any longer
--
SvenDowideit - 05 Oct 2008