Forum OpenACS Q&A: Question about changes to ad_return_url

There were changes made to the ad_return_url proc to deprecate the -urlencode flag. This change appears to have been made in August of 2021. We are just now upgrading our sites to include this code.

The proc states that the flag has been deprecated because the result is now encoded by default. The problem is that this is not quite the case. The path gets ns_urlencode(d) but the query list does not.

Is this by design or is it an omission? From my perspective, the entire url should be encoded, not just the path. I do not know that I have seen a path that needed to be encoded but certainly a url that is composed with several items in the query string needs to be encoded. This prevents those items being misinterpreted in a url containing the return_url as one of its query items.

Being that this was purposefully changed, I am not sure what the preferred fix would be: either reinstating the flag or calling ns_urlencode on the final constructed url at return time instead of just on the base_url.

I am happy to submit either one of these fixes if you can tell me which is preferred or if I am missing something altogether which supports the code as it currently is.

What is the best way to proceed?


-Tony Kirkham

Posted by Gustaf Neumann on

You wrote:

The path gets ns_urlencode(d) but the query list does not.

When the following test-script (i called it www/adreturnurl.tcl)

 ns_return 200 text/plain [subst {
    ad_return_url: [ad_return_url]

is called from the browser with query parameter containing a value that has to be urlencoded (here the percent sign)


it returns

    ad_return_url: /ad_return_url?x=a%25b

where the percent sign is properly escaped.

What is the concern? If you think, there is a bug, please submit an entry to the bugtracker with an example, how to reproduce it.