kerodon icon indicating copy to clipboard operation
kerodon copied to clipboard

Published 20 hours ago verified publisher icon xeqi

Kerodon incorrectly uses query-string when submitting form

Open jeroenvandijk opened this issue 2 years ago • 1 comments

When we (press "save") on this form:

<form action="/myform?email=hi>
  <input hidden="email" value="hello"/>
  <input type="submit" value="save"/>
</form>

Kerodon will wrongly reuse the query string resulting in a request path of /myform?email=hi&email=hello. This is inconsistent with the behaviour I see in my browser (latest chrome). Kerodon is also wrong according to specifications mentioned here [1].

This problem surfaces when the parameters are parsed with ring.middleware.params/wrap-params this results in {"email" ["hi" "hello"]} instead of {"email" "hello"}.

[1] https://stackoverflow.com/questions/1116019/when-submitting-a-get-form-the-query-string-is-removed-from-the-action-url/9882750#9882750

jeroenvandijk avatar Jun 20 '22 10:06 jeroenvandijk

It seems that https://github.com/xeqi/kerodon/pull/45, from 2016, is claiming the opposite. Not sure where this is coming from, the link and specification I was referring to is already from 2009.

@ayato-p do you happen to remember your particular situation?

jeroenvandijk avatar Jun 20 '22 11:06 jeroenvandijk