form field values/names containin = or & not correctly handled when using mechanize
Reported by Di-an Jan | July 13th, 2010 @ 03:35 AM
For mechanize, values are not urlencoded, so can contain '=' and '&'.
In Form.unescape_params, name=value are split('=') into .first
and .last,
which would be wrong if value contains '='. It should be split('=',
2).
In Form#params, name=value's are join('&') into a
string,
then in Form.unescape_params, they are split at '&',
which would be wrong if value contains '&'. One solution is
to
not do the join in Form#params, and do it in
Form.unescape_params
except when they need to be split directly.
Field's name need to be urlencoded too because HTML4 says it's
CDATA.
If name congains '=', it would mess up even split('=', 2).
A more general solution is to always urlencode, then in the
mechanize case
in Form.unescape_params, split and then urldecode.
No comments found
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Ruby Acceptance Testing for Web applications.
People watching this ticket
- Nobody is watching this ticket.