You are here: Foswiki>Tasks Web>Item6022 (08 Jan 2009, KwangErnLiew)Edit Attach

Item6022: ENCODE{} treats % as safe character

Priority: Urgent
Current State: Closed
Released In:
Target Release: patch
Applies To: Engine
Reported By: TWiki:Main.AndreLichtsteiner
Waiting For:
Last Change By: KwangErnLiew
The %-Sign (per cent) is according to RFC 1738 unsafe. (2.2. URL Character Encoding Issues: The character "%" is unsafe because it is used for encodings of other characters.)

But the TWiki Variable %ENCODE{}% treats % (per cent) as a safe letter instead of transforming it to %25.



  • ?value=%ENCODE{"%9600" type="url"}%

results in:

  • ?value=%259600 (results in 4.22 as %9600)
  • value will be seen as -00


  • ?value=%259600
  • value will be seen as %9600

proposed patch: /lib/
<    $text =~ s/([^0-9a-zA-Z-_.:~!*'\/%])/'%'.sprintf('%02x',ord($1))/ge;
>    $text =~ s/([^0-9a-zA-Z-_.:~!*'\/])/'%'.sprintf('%02x',ord($1))/ge;

-- TWiki:Main/AndreLichtsteiner - 25 Sep 2008

Elevating to urgent.

Any voices against Andre's conclusions? Things that will break?

Otherwise I will commit the patch. Will wait a few days

-- TWiki:Main.KennethLavrsen - 29 Sep 2008

sorry, couldn't wait any longer smile

-- SvenDowideit - 05 Oct 2008

ItemTemplate edit

Summary ENCODE{} treats % as safe character
ReportedBy TWiki:Main.AndreLichtsteiner
SVN Range TWiki-5.0.0, Tue, 23 Sep 2008, build 17539
AppliesTo Engine
Priority Urgent
CurrentState Closed
Checkins TWikirev:17588
TargetRelease patch
Topic revision: r9 - 08 Jan 2009, KwangErnLiew - This page was cached on 01 Dec 2015 - 11:02. Get a fresh version here.
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License