Item6022: ENCODE{} treats % as safe character

Priority: Urgent
Current State: Closed
Released In:
Target Release: patch
Applies To: Engine
Component: TWiki.pm
Branches:
Reported By: TWiki:Main.AndreLichtsteiner
Waiting For:
Last Change By: KwangErnLiew
The %-Sign (per cent) is according to RFC 1738 unsafe. (2.2. URL Character Encoding Issues: The character "%" is unsafe because it is used for encodings of other characters.)

But the TWiki Variable %ENCODE{}% treats % (per cent) as a safe letter instead of transforming it to %25.

Test

Test:

  • ?value=%ENCODE{"%9600" type="url"}%

results in:

  • ?value=%259600 (results in 4.22 as %9600)
  • value will be seen as -00

expected:

  • ?value=%259600
  • value will be seen as %9600

proposed patch: /lib/TWiki.pm
2403c2403
<    $text =~ s/([^0-9a-zA-Z-_.:~!*'\/%])/'%'.sprintf('%02x',ord($1))/ge;
---
>    $text =~ s/([^0-9a-zA-Z-_.:~!*'\/])/'%'.sprintf('%02x',ord($1))/ge;

-- TWiki:Main/AndreLichtsteiner - 25 Sep 2008

Elevating to urgent.

Any voices against Andre's conclusions? Things that will break?

Otherwise I will commit the patch. Will wait a few days

-- TWiki:Main.KennethLavrsen - 29 Sep 2008

sorry, couldn't wait any longer smile

-- SvenDowideit - 05 Oct 2008

ItemTemplate edit

Summary ENCODE{} treats % as safe character
ReportedBy TWiki:Main.AndreLichtsteiner
Codebase
SVN Range TWiki-5.0.0, Tue, 23 Sep 2008, build 17539
AppliesTo Engine
Component TWiki.pm
Priority Urgent
CurrentState Closed
WaitingFor
Checkins TWikirev:17588
TargetRelease patch
ReleasedIn
Topic revision: r9 - 08 Jan 2009, KwangErnLiew
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License