tags:

views:

554

answers:

5
+4  Q: 

How-to XHTML 1.1 validate an ampersand without escaping it?

My issue is the following. I have a XHTML 1.1 page that has a form and input fields. One of the input fields contains a value which is an URI. This URI contains key-value pairs with ampersand (&) as argument separator, that will be passed as a GET request by another web application in the browser.

Usually I would use the entity & to create the ampersands to validate the code as XHTML 1.1. My problem here is that the application does not receive the GET request, since (as expected) the browser does not understand how to handle & in the URI.

So my question is really how to write an ampersand without using the HTML entity, so the browser still recognises it as the argument separator and the GET request is passed on properly to the web app.

I tried Hex (%26) encoding the ampersand but the browser still does not "translate" it back to a proper & character.

A related question, but it does not provide the exact answer to the question I am asking:

http://stackoverflow.com/questions/275150/xhtml-and-ampersand-encoding

+1  A: 

There is no way to include an ampersand character in an attribute value without using an entity.

There is no way to include an ampersand character as a textNode without using an entity or CDATA markers (but I bet you are serving as text/html so you can't use those).

That said — any browser which fails to decode the entity is broken. No mainstream browser fails there. You are either using an obscure and broken browser, or are misdiagnosing the problem.

David Dorward  2010-01-13 23:20:33
Any major browser (IE or FF will do). The browser handles the decoding properly inside the HTML. I am referring to actually using the HTML entity in the address bar. Try it...
mr-euro  2010-01-13 23:24:05
Well don't do that! You type plain URLs into the address bar, not HTML encoded URLs. That's like opening a Microsoft Word document in Notepad.
David Dorward  2010-01-13 23:26:47
The browser is redirected to that URI as it was typed directly into the address bar, including HTML entities. That is my issue.
mr-euro  2010-01-13 23:44:20
Either the browser is redirected to the URI, or the URI is typed into the address bar. It can't be both.
David Dorward  2010-01-14 00:03:52
Obviously the former. What I am saying is that the effect is the same as if the URI was typed directly into the address bar (vs. being e.g. an anchor being clicked on).
mr-euro  2010-01-14 00:43:53
So either your input is wrong (it still isn't clear what the input actually is, but it sounds like it should be an HTML encoded URI with any URI encoding of the ampersands being handled by the browser) or the server side form processor is broken.
David Dorward  2010-01-14 08:46:30
A: 

Without the code its difficult to tell where you are trying to keep this information, if you could post the code we could do a better job understanding the problem.

One possible (if this is in fact what you are facing) is to move the items in the querystring into other form elements, such as:

<form action="example.com/?foo=1&bar=2>
    <!-- ... -->
</form>

to:

<form action="example.com">
    <input type="hidden" name="foo" value="1" />
    <input type="hidden" name="bar" value="2" />
    <!-- ... -->
</form>
mynameiscoffey  2010-01-13 23:21:49
The querystring is not in the actual form action, but inside an input field's value field. It is a value which gets passed to a web app, which later returns the user's browser to that same URI (with the query-string in it). This is where it fails since the browser can not understand the HTML entity in the address bar.
mr-euro  2010-01-13 23:26:43
Gotcha, my bad. If that is the case can't you just escape it when you stick it in the input field (which is probably best to do anyway to avoid any XSS attacks) and then un-escape it before you do the redirect server-side?
mynameiscoffey  2010-01-14 00:23:02
Unfortunately the redirect comes from a 3rd party. So I need to send the URI exactly as I need it to come back... the 3rd party simply receives it and returns the user's browser to it after it has done other work.
mr-euro  2010-01-14 00:41:59
+1  A: 

As mentioned in the other question you referenced, the browser converts the &amp; to & when the page is processed, so the "&" (not &amp;) should be sent to the server in the GET request. Perhaps you are using Ajax to make the GET request, in which case, you may need to decode the HTML. The entity is required for XHTML--no alternative encoding, just make sure it is properly decoded.

Reference: The & changes to &amp; in a hyperlink

Doug D  2010-01-13 23:26:05
The issue is that the browser receives the HTML entity directly into the address bar (as if it was typed directly). I am not referring to the decoding that happens automatically e.g. if you use the ampersand equivalent entity inside an anchor.
mr-euro  2010-01-13 23:37:46
How is the URI being put in the input field? If the value is part of the HTML, then it should be the entity name, if set using JavaScript, then it should not.
Doug D  2010-01-14 13:01:53
A: 

I could not bother spending more time on this. I simply changed the argument separator to also include semi-colon (;) so I can use it instead of ampersand:

#cat .htaccess
php_value arg_separator.input "&;"
mr-euro  2010-01-14 01:14:40
+1  A: 

the escaped & should be converted by the client (browser) everywhere in the XHTML document. so you should escape every & with &amp;

KARASZI István  2010-01-14 10:43:25

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases