Opened 12 years ago

Last modified 11 years ago

#727 confirmed Bug

Mixing GET and POST parameters not RFC-Compliant

Reported by: anonymous Owned by:
Priority: Normal Milestone:
Component: General Version:
Keywords: SF Cc:

Description

Great work the editor, folks!

As the subject says - There are parts of FCKeditor that mix GET and POST parameters by putting a query string on the "action" bit of a POST'd form, specifically :

fckeditor/editor/filemanager/browser/default/frmupload.html

This is NOT RFC-compliant - you're supposed to pick one method and stick to it. RFC-compliant CGI parameter parsers will be unable to see the query-string encoded values in the action parameter when you POST. Making FCKeditor conform to the RFCs will make it work better in more places.

There's certainly a better way to do the javascript, but here's a "fixed" version of frmupload.html from the default integration interface.


Moved from SF:
http://sourceforge.net/tracker/index.php?func=detail&aid=1487047&group_id=75348&atid=543653

Change History (3)

comment:1 Changed 12 years ago by Martin Kou

Cc: Frederico Caldeira Knabben added
Reporter: changed from Martin Kou to anonymous

Section 17.13.1 of the HTML 4.01 spec says it pretty clearly:

http://www.w3.org/TR/REC-html40/interact/forms.html#h-17.13.1

With GET, you include the data in the URL (and the UserAgent is expected to package it up for you). With POST, you include the data in the body of the form. If you add query string parameters to the action, the "behavior is unspecified," the server-side parser can do whatever it wants, including ignoring the data.

The directive on how data should be submitted is clear, though- GET has data put in the URL, POST has data put in the form body. Anything else has an unspecified consequence.

Ruby, Perl at least have core CGI libraries that adhere to that distinction, and getting at query string data on a POST'd action requires workarounds.

The fix is easy, if you take a look at the file I attached. If all forms were encoded "the long way", with <input type="hidden"> for variables not directly edited by user input, FCKEditor would "just work" with all parsers.


Moved from SF. Original poster: Anonymous

Could you please point us to the RFC? Thanks for the advice.


Moved from SF. Original poster: fredck

comment:2 Changed 12 years ago by Martin Kou

RFC2616? I think the reporter has a valid concern, GET and POST are literally different "commands" in the HTTP protocol.

comment:3 Changed 11 years ago by Frederico Caldeira Knabben

Cc: Frederico Caldeira Knabben removed
Keywords: Confirmed added

Fortunately this issue is not impacting our code currently. Actually, it would just make our lives harder right now. But it is good to keep it in mind for future developments.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy