Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

TorgoX (1933)


"Il est beau comme la retractilité des serres des oiseaux rapaces [...] et surtout, comme la rencontre fortuite sur une table de dissection d'une machine à coudre et d'un parapluie !" -- Lautréamont

Journal of TorgoX (1933)

Friday December 02, 2005
12:45 AM

Hot: Semicolons. Not: Ampersands.

[ #27828 ]
Dear Log,

« B.2.2: Ampersands in URI attribute values

The URI that is constructed when a form is submitted may be used as an anchor-style link (e.g., the href attribute for the element). Unfortunately, the use of the "&" character to separate form fields interacts with its use in SGML attribute values to delimit character entity references. For example, to use the URI "http://host/?x=1&y=2" as a linking URI, it must be written <A href="http://host/?x=1&#38;y=2"> or <A href="http://host/?x=1&amp;y=2">.

We recommend that HTTP server implementors, and in particular, CGI implementors support the use of ";" in place of "&" to save authors the trouble of escaping "&" characters in this manner.»

It's not a new recommendation either. It's been there since 1995. supports it, but I doubt I've ever seen it actually used anywhere.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • Part of the trouble is the lack of support. I always use to generate URLs with query strings correctly, but it insists on producing ampersands. I know, I should submit a patch.

    The other part of the problem is the fact that our tools are fundamentally broken and insecure [].


    • There's already a patch for URI, but the bug its attached was submitted prior to the W3C XHTML recommendation, and has a low priority. I submitted a meta bug. Additional lobbying might help, though.
    • I always use to generate URLs with query strings correctly, but it insists on producing ampersands. I know, I should submit a patch.

      I don't think that's a bug, since escaping the query string is only relevant when it's being used as an attribute value. I'd say it's a bug in whatever is generating the HTML code.

      (Unless you mean the patch changes it to emit semi-colons instead of ampersands, in which case, I apologize, because you're correct.)

      • Yes, that's exactly what I was referring to. I reckon that there should be a global variable in URI::_query or something to set which one you would prefer. I haven't looked at the relevant bug yet to see if that's how it's done.


  • Funny, I complained about that just recently [] – PHP still isn’t configured to accept semicolonised query strings by default. It’s by far the biggest offender.

    Maybe I should take a look at what the Rails and Django folk are doing and complain at them too.

    Perl stuff is mostly good about this.

  • I wrote some OAI (Open Archives Initiative) code for Slashdot, for a certain search site to use to get data from us. OAI is XML, and part of the spec is to pass a "resumption token" for when the results list is incomplete (as tends to happen, since you don't want to put all the Slashdot data in one result list).

    So for simplicity, I used the query string made to make the request as the resumption token, with the counter incremented. This meant encoding & as &, of course. The search site people tho