[Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL

Thu Jul 30 07:15:37 CEST 2020

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223

--- Comment #18 from David Cook <dcook at prosentient.com.au> ---
Template Toolkit uses RFC 2396 (from 1998) for the url filter.

Looking at RFC 2396 https://tools.ietf.org/html/rfc2396#section-2.4.2:

"Data must be escaped if it does not have a representation using an unreserved
character"

However, it also says the following:

"A URI is always in an "escaped" form, since escaping or unescaping a completed
URI might change its semantics.  Normally, the only time escape encodings can
safely be made is when the URI is being created from its component parts; each
component may have its own set of characters that are reserved, so only the
mechanism responsible for generating or interpreting that component can
determine whether or not escaping a character will change its semantics.
Likewise, a URI must be separated into its components before the escaped
characters within those components can be safely decoded."

Note also the following:

"Because the percent "%" character always has the reserved purpose of being the
escape indicator, it must be escaped as "%25" in order to be used as data
within a URI.  Implementers should be careful not to escape or unescape the
same string more than once, since unescaping an already unescaped string might
lead to misinterpreting a percent data character as another escaped character,
or vice versa in the case of escaping an already escaped string."

Template Toolkit have changed the behaviour of the "uri" and "url" filters over
time (http://www.template-toolkit.org/docs/manual/Filters.html#section_url). I
think they also haven't interpreted RFC3986 correctly in regards to the double
quote character...

-- 
You are receiving this mail because:
You are watching all bug changes.