Francis,
> I've come across an apparent form anomaly when using dillo to test a
> separate application.
>
> If I create a html form, the data submitted differs depending on whether
> I use "text" or "hidden" input types -- specifically, the "hidden" type
> is not parsed for html entities. This causes breakage when I want to set
> the value to the four-character string x"'y, for example.
>
> The code for this is in html.c, around line 3077 (version 1.132), where
> just using the same "init_str = (value) ? value : NULL;" as most other
> types would work.
>
> >From the comment, it was clearly a deliberate decision to
> leave out entity-parsing for DILLO_HTML_INPUT_HIDDEN (and
> DILLO_HTML_INPUT_PASSWORD, around line 3049). The change appears to have
> been made between revisions 1.5 and 1.6, where the "submit" (and others)
> type explicitly had Html_parse_entities() called but the "hidden" type
> didn't.
>
> I don't see any dispensation in the HTML DTD which makes "hidden" and
> "password" immune to the entity rules. Is the exception in dillo an
> oversight that just hasn't been spotted yet? Or is there some reasoning
> that I'm missing behind the way things are?
>
> For reference, other web browsers I tried took the html fragment
>
> <form>
> <input type=text name=plain value="x"x">
> <input type=hidden name=hide value="x"x">
> <input type=submit>
> </form>
>
> and on submission, the URL had the same value for "plain" and "hide".
> In dillo, the query string is plain=x%22x&hide=x%26quot%3Bx
This is quite an interesting issue!
I digged through the historical releases and the root of the
problem is very far (before 0.3.2!).
As I currently see it, the SGML type for those INPUT attribute
values is CDATA, so entities SHOULD/MUST be parsed!!!
Does anyone know otherwise?
Cheers
Jorge.-
