html/template: stateURL context percent encodes "(", ")" yet they are valid path characters #15891
Comments
|
Does this extra encoding cause any harm? |
|
In my particular use-case is does, as the URL that is output is to a third-party re-direction URL that does not perform proper URL un-encoding. I will submit a PR shortly. |
quentinmit
added
the
NeedsFix
|
I don't see any connection to net/http so am going to change the title of this bug to relate it to net/url instead. Please correct me if am wrong. |
|
Or html/template? |
odeke-em
changed the title
stateURL template context percent encodes "(" and ")"
|
Good plan, thanks. Updated. |
|
The problem here is not net/url but the fact that the html/template escaper uses the same code for escaping Any RFC-compliant server should treat /path(en) and /path%28en%29 the same. This code is very subtle, and I am not convinced that the benefit to broken servers is worth the risk of introducing a security problem in this code. I think we should leave this alone. /cc @mikesamuel |
rsc
changed the title
The
html/templatecontextstateURLappears to be percent encoding valid characters. I believe this is becauseshouldEscape()innet/urlencodes these characters by default: https://github.com/ecosia/go/blob/master/src/net/url/url.go#L101RFC3986 allows for the use of
(and)characters in the query component: https://tools.ietf.org/html/rfc3986#section-3.4go version)?1.6.2
go env)?linux/amd64
Create a template with a variable to be used for the
hrefattribute. Pass a URL including(or)to the template and compile.(and)are percent encoded during compilation.An example on play.golang.org: https://play.golang.org/p/QFtR42GyfI
<a href="http://my.domain/path-to-lang(en)">Click this link.</a><a href="http://my.domain/path-to-lang%28en%29">Click this link.</a>The text was updated successfully, but these errors were encountered: