Representing '&' in URLs

Chris Maden crism at oreilly.com
Fri Jan 22 19:19:05 GMT 1999 

[Robin Cover]
> This makes the syntax valid, but unfortunately, only a few Web
> servers will be able to handle this notation.  The same engineers
> (apparently) who have designed the software to generate the
> malformed URLs have also designed the servers to grok ONLY raw
> (unescaped) ampersand.  For the notation you have offered, most
> processors will choke.  So, as a document author attempting to
> compose valid HTML/XML with links of this kind - you're hosed.

The problem isn't servers, it's browsers.  The browser should come
across the markup:

   href="http://ee.org/%7Euser/cgi/ohm.pl?volt=7&amp=3"

and extract the parsed value

   http://ee.org/%7Euser/cgi/ohm.pl?volt=7&amp=3

which is then interpreted by the browser:

   Get '/%7Euser/cgi/ohm.pl?volt=7&amp=3' from ee.org port 80.

The server interprets the requested file, and resolves hex encodings:

   Run '/~user/cgi/ohm.pl' with QUERY_STRING set to 'volt=7&amp=3'.

The CGI script parses the QUERY_STRING:

   'volt' is '7'; 'amp' is '3'.

The CGI script should be able to deal with the recommended semicolons
as well as the deprecated ampersands ('volt=7;amp=3').

Where the problem occurs is that, until Netscape 3 or so, entity
references were never resolved in attribute values.  This meant you
couldn't do <IMG ALT="--&gt;">.  (You couldn't have a raw > in older
versions of Netscape because it would end the attribute value there,
despite the quotes.)  So Netscape applied their entity recognition
algorithm:

   '&' known-entity-name ';'?  

to attribute values.  Netscape will render '&ltri;' as '<ri;' and the
same thing happens in attribute values.  The markup:

   href="http://ee.org/%7Euser/cgi/ohm.pl?amp=3&volt=7"

will pass without alteration, but the markup:

   href="http://ee.org/%7Euser/cgi/ohm.pl?volt=7&amp=3"

will be parsed as

   http://ee.org/%7Euser/cgi/ohm.pl?volt=7&=3

Oh, well.  The HTML 2.0 RFC, published over two years ago and in draft
for nearly a year before that, recommended using semicolons instead of
ampersands for separating parameters, but most CGI scripts don't
implement that, so only Lynx has implemented it in the browser, and
then only if the ENCTYPE attribute on the <FORM> is some proprietary
string.

Please pardon my ranting.

-Chris
-- 
<!NOTATION SGML.Geek PUBLIC "-//Anonymous//NOTATION SGML Geek//EN">
<!ENTITY crism PUBLIC "-//O'Reilly//NONSGML Christopher R. Maden//EN"
"<URL>http://www.oreilly.com/people/staff/crism/ <TEL>+1.617.499.7487
<USMAIL>90 Sherman Street, Cambridge, MA 02140 USA" NDATA SGML.Geek>

xml-dev: A list for W3C XML Developers. To post, mailto:xml-dev at ic.ac.uk
Archived as: http://www.lists.ic.ac.uk/hypermail/xml-dev/
To (un)subscribe, mailto:majordomo at ic.ac.uk the following message;
(un)subscribe xml-dev
To subscribe to the digests, mailto:majordomo at ic.ac.uk the following message;
subscribe xml-dev-digest
List coordinator, Henry Rzepa (mailto:rzepa at ic.ac.uk)

More information about the Xml-dev mailing list