Posted by Bob Arn on 10/15/06 11:16

In article <1160830571.192891.47760@m73g2000cwd.googlegroups.com>,
"John Dunlop" <usenet+2004@john.dunlop.name> wrote:

> Bob Arn:
>
> > [sree:]
>
> > > header("Location: myaccount.php?suc=password changed successfully");
>
> RFC2616 states that Location must be a URI not a relative reference,
> and RFC3986 states that URIs cannot contain unencoded spaces.
> User-agent error recovery probably means both that the Request-URI from
> the original request is understood as the base URI from which the
> relative reference is resolved and that the value of Location is taken
> as everything up until the first space.
>
> > try: suc=password+changed+successfully
>
> Plus signs do have advantages over %20 in that they are two characters
> shorter, they render the URL more readable, and in this case they are
> intuitively better suited to concatenation. However, HTTP/1.1 does not
> assign any special meaning to <+>; nowhere does it say that <+> means a
> space. Where <+> does mean a space is in the
> application/x-www-form-urlencoded content type, as described in
> HTML4.01 sec. 17.13.4.
>
> I would percent-encode spaces here.

It doesn't matter because the page it's going to is myaccount.php. The
rest is only used by the application. The important thing is that it's
not a space or other forbidden character.

[Back to original message]