Input box does not generate correct URL containing ampersand
Closed, ResolvedPublic


Author: RLUllmann

If the page title contains an ampersand, Inputbox generates the edit url with %26amp%3B instead of just %26, usually resulting in a server error; but has been reported as generating the page title truncated at the ampersand.

E.g. on en.wikt, enter foo&bar and "Go", then pick the "Noun" button; generated URL contains &title=foo%26amp%3Bbar :

go to
press "Noun"

I have not tested other things that might be escaped in a URL or other cases, code needs looking at.

Version: unspecified
Severity: normal


bzimport set Reference to bz15564.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Sep 11 2008, 3:43 PM

should works with #tag:


unassigned Trevor from Inputbox extension.

(In reply to comment #1)

should works with #tag:

Actually that doesn't seem to do any different.


The parameter with the search term on the searchmenu-new message in Special:Search is escaped ahead of time so that it won't trigger wiki syntax in the output: eg a title containing "''" shouldn't trigger italics.

So the inputbox's parameters contain "default=foo&bar" (or on 1.18/trunk, "default=foo&bar" which fails in a similar but slightly different way).

Inputbox dutifully accepts that and sticks it in the value of its (hidden) input element -- of course escaping all of its output so the & and whatnot are preserved across the form submission.

Possibly inputbox should do normalization on the input to pre-convert any character references... though of course if anybody is *deliberately* putting character references into the inputbox input values they'd need to update to double-escape.

mcdevitd wrote:

Marking as duplicate of bug 29066, with a more general name, since ampersands are not the only problematic characters.

*** This bug has been marked as a duplicate of bug 29066 ***

Add Comment