dsiftnc99059 2016-11-30 14:44
浏览 116
已采纳

如果URL中有任何html实体,是否会自动解码URL?

The scenario:- I am redirecting the user to the previous page after the successful login. login.php has a form which takes username and password and POSTs to the login_check.php. login_check.php checks for authentication of the user and if passed it redirects the user to the default page unless the user has a choice(i.e: if he visited to some other page,say people's.php and that people's.php finds that he is not logged in and redirects him to login page so that he can get back after successful login). I am also storing the visited URL in a hidden field in the form in login.php :-

echo '<input type="hidden" name="location" value="';
 if(isset($_GET['location']))
 {
  echo htmlspecialchars($_GET['location']);
 }
echo '"/>';

In login_check.php, after authentication check I check whether there is a user choice otherwise redirects him to default page:-

//REDIRECT USER TO PREVIOUS PAGE IF ANY
if(isset($_POST['location']))
{
   header("location:".$_POST['location']);
   exit;
} 

My question:- If I write the URI people's.php in the browser it prompts me to log in accordingly and redirects me after login.If I try something like people&amplsquo;s.php I get page not found message.(As Encoded URL using htmlspecialchars() is stored in the hidden field as shown in the code above). So,where does the decoding of the URL take place and why does it not work the other way(i.e:people&amplsquo;s.php)?

  • 写回答

2条回答 默认 最新

  • douhu7807 2016-11-30 14:58
    关注

    If you write an HTML entity in an HTML document (and not inside an element with intrinsic CDATA, like <script>), then the entity will be decoded as the HTML is parsed and the DOM is generated.

    This is what happens in your <input value=... example.

    When the browser constructs the URL from the inputs in the form when the form is submitted, the entities have already been decoded.


    When you put an HTML entity in an HTTP header (such as location, then it will not be decoded by the browser. HTTP headers are not HTML documents so will not be parsed as HTML.

    In your example, the entity was already decoded by the browser before being sent to the server to populate $_POST.


    When you put an HTML entity in the browser's address bar, then it will not be decoded by the browser. URLs are not HTML documents so will not be parsed as HTML.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 vs2022无法联网
  • ¥15 TCP的客户端和服务器的互联
  • ¥15 VB.NET操作免驱摄像头
  • ¥15 笔记本上移动热点开关状态查询
  • ¥85 类鸟群Boids——仿真鸟群避障的相关问题
  • ¥15 CFEDEM自带算例错误,如何解决?
  • ¥15 有没有会使用flac3d软件的家人
  • ¥20 360摄像头无法解绑使用,请教解绑当前账号绑定问题,
  • ¥15 docker实践项目
  • ¥15 利用pthon计算薄膜结构的光导纳