I've seen that kind of thing happen with sites that use Siteminder to
handle logins. You go to the original site and get bounced to the
login page on the Siteminder machine. Buried in the login form
there's a hidden variable that contains the whole URL to return to if
the login is successful. That URL can (and usually does) contain a
'?' and a bunch of '&'s to pass parameters back to the original site.
It gets double encoded when being posted back so that the forms
processing machine doesn't strip out the parameters for itself.

At least in that particular case, it's functioning as intended.

Ralph Mitchell

On 1/20/06, Doug McNutt <douglist_at_macnauchtan.com> wrote:
> I recently found a URL-encoded string that was included in the middle of a POST after being delivered, in encoded form, as a hidden field inside of an HTML <form>.
>
> The browsers were URL encoding the whole POST so that the result was encoded twice.
>
> %253F, %253D
>
> entries galore. But they seemed to work as expected at the other end. What scares me is that it may not be intended but is the result of reflexive application of canned URL encoding.
>
> --
>
> --> From the U S of A, the only socialist country that refuses to admit it. <--
>
Received on 2006-01-20