JavaScript document.location.href seems to expect HTML

Question

If I execute this in the IE 11 console:

document.location.href="a&amp;b";

I get an error saying:

Not found - The requested URL /a&b was not found on this server.

But should it not rather complain about a&b not being found? The URL which happens to contain a HTML entity seems to be interpreted as HTML, despite nothing here actually being connected to HTML.

I came across this while having a GET parameter named copy_from in an onclick attribute, and despite escaping the ampersand correctly (&copy_from=), the final URL showed up with a copyright character in it. (It works in IE by escaping the ampersand twice, but then it fails in other browsers.)

Am I missing something or is this an IE bug?

Isn't `&` a invalid char for the none query part of the url? So the behavior how a browser would handle `/a&b` is somehow undefined? — t.niese, Nov 27 '14 at 17:04
Running that in the *chrome* console doesn't give that result, so it looks like an IE bug. — Quentin, Nov 27 '14 at 17:08
I understood the href property to contain a fully fledged URI, including GET parameters. — Wolfgang Stengel, Nov 27 '14 at 17:08

score 1 · Accepted Answer · edited May 23 '17 at 11:59

I do think this is a bug. If, in javascript you have specified '/a&b', then the URL requested should have nothing to do with HTML entities. This is supported by the fact that most browsers try to redirect you to '/a&b', as expected.

I've seen lots of inconsistencies between browsers like this before.

It's probably the kind of thing someone (with lots more time than I) could find a way to exploit.

If the document is XHTML - and interpreted as XML - however, you are required to use a CDATA section around the inline javascript which includes the ampersands. e.g. When is a CDATA section necessary within a script tag?.

In practice, this is rarely done, which is why this is probably a bug.

JavaScript document.location.href seems to expect HTML

1 Answers1