Input box does not generate correct URL containing ampersand
Closed, ResolvedPublic


Author: RLUllmann

If the page title contains an ampersand, Inputbox generates the edit url with %26amp%3B instead of just %26, usually resulting in a server error; but has been reported as generating the page title truncated at the ampersand.

E.g. on en.wikt, enter foo&bar and "Go", then pick the "Noun" button; generated URL contains &title=foo%26amp%3Bbar :

go to
press "Noun"

I have not tested other things that might be escaped in a URL or other cases, code needs looking at.

Version: unspecified
Severity: normal

bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz15564.
bzimport created this task.Via LegacySep 11 2008, 3:43 PM
Umherirrender added a comment.Via ConduitMar 20 2009, 5:50 PM

should works with #tag:


MarkAHershberger added a comment.Via ConduitJun 14 2011, 12:22 AM

unassigned Trevor from Inputbox extension.

brion added a comment.Via ConduitSep 23 2011, 12:02 AM

(In reply to comment #1)

should works with #tag:

Actually that doesn't seem to do any different.


The parameter with the search term on the searchmenu-new message in Special:Search is escaped ahead of time so that it won't trigger wiki syntax in the output: eg a title containing "''" shouldn't trigger italics.

So the inputbox's parameters contain "default=foo&bar" (or on 1.18/trunk, "default=foo&bar" which fails in a similar but slightly different way).

Inputbox dutifully accepts that and sticks it in the value of its (hidden) input element -- of course escaping all of its output so the & and whatnot are preserved across the form submission.

Possibly inputbox should do normalization on the input to pre-convert any character references... though of course if anybody is *deliberately* putting character references into the inputbox input values they'd need to update to double-escape.

bzimport added a comment.Via ConduitOct 25 2011, 12:15 AM

mcdevitd wrote:

Marking as duplicate of bug 29066, with a more general name, since ampersands are not the only problematic characters.

*** This bug has been marked as a duplicate of bug 29066 ***

Add Comment