Opened 18 years ago
Last modified 17 years ago
#727 confirmed Bug
Mixing GET and POST parameters not RFC-Compliant
| Reported by: | anonymous | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | General | Version: | |
| Keywords: | SF | Cc: |
Description
Great work the editor, folks!
As the subject says - There are parts of FCKeditor that mix GET and POST parameters by putting a query string on the "action" bit of a POST'd form, specifically :
fckeditor/editor/filemanager/browser/default/frmupload.html
This is NOT RFC-compliant - you're supposed to pick one method and stick to it. RFC-compliant CGI parameter parsers will be unable to see the query-string encoded values in the action parameter when you POST. Making FCKeditor conform to the RFCs will make it work better in more places.
There's certainly a better way to do the javascript, but here's a "fixed" version of frmupload.html from the default integration interface.
Moved from SF:
http://sourceforge.net/tracker/index.php?func=detail&aid=1487047&group_id=75348&atid=543653
Change History (3)
comment:1 Changed 18 years ago by
| Cc: | Frederico Caldeira Knabben added |
|---|---|
| Reporter: | changed from Martin Kou to anonymous |
comment:2 Changed 17 years ago by
RFC2616? I think the reporter has a valid concern, GET and POST are literally different "commands" in the HTTP protocol.
comment:3 Changed 17 years ago by
| Cc: | Frederico Caldeira Knabben removed |
|---|---|
| Keywords: | Confirmed added |
Fortunately this issue is not impacting our code currently. Actually, it would just make our lives harder right now. But it is good to keep it in mind for future developments.
Section 17.13.1 of the HTML 4.01 spec says it pretty clearly:
http://www.w3.org/TR/REC-html40/interact/forms.html#h-17.13.1
With GET, you include the data in the URL (and the UserAgent is expected to package it up for you). With POST, you include the data in the body of the form. If you add query string parameters to the action, the "behavior is unspecified," the server-side parser can do whatever it wants, including ignoring the data.
The directive on how data should be submitted is clear, though- GET has data put in the URL, POST has data put in the form body. Anything else has an unspecified consequence.
Ruby, Perl at least have core CGI libraries that adhere to that distinction, and getting at query string data on a POST'd action requires workarounds.
The fix is easy, if you take a look at the file I attached. If all forms were encoded "the long way", with <input type="hidden"> for variables not directly edited by user input, FCKEditor would "just work" with all parsers.
Moved from SF. Original poster: Anonymous
Could you please point us to the RFC? Thanks for the advice.
Moved from SF. Original poster: fredck