[Varnish] #413: Incorect handling of escape in esi:include src attribute
Varnish
varnish-bugs at projects.linpro.no
Sat Dec 20 07:20:26 CET 2008
#413: Incorect handling of escape in esi:include src attribute
-------------------------+--------------------------------------------------
Reporter: andrewmcnnz | Owner: phk
Type: defect | Status: new
Priority: normal | Milestone:
Component: varnishd | Version: 2.0
Severity: normal | Keywords: esi escape
-------------------------+--------------------------------------------------
I'm seeing the following bug in Varnish 2.0.2, compiled from source on
Ubuntu.
The following syntax is incorrect as it is not well formed xml:
<esi:include src="/foo?a=b&c=d" />
The problem is the '&' which should be escaped like so:
<esi:include src="/foo?a=b&c=d" />
http://www.htmlhelp.com/tools/validator/problems.html#amp
However it seems that Varnish does not unescape the html entity before
interpreting the URL, and the wrong request arguments are sent. ie the cgi
string as sent by varnishd is identical to how it appears in the
esi:include src attribute text.
Failure to escape ampersands in urls embedded in html is an extremely
common bug, and quite probably should be interpreted generously, but
correct code must be allowed to work also.
I'm working around this by ';' delimiters, which is recommended practice,
if not common. Shouldn't be necessary though.
--
Ticket URL: <http://varnish.projects.linpro.no/ticket/413>
Varnish <http://varnish.projects.linpro.no/>
The Varnish HTTP Accelerator
More information about the varnish-bugs
mailing list