/    Sign up×
Community /Pin to ProfileBookmark

IE7 location.href ‘invalid argument’ error

Copy linkTweet thisAlerts:
Aug 24.2007

I have a URL that includes a URLEncoded serialized java object id as the last component of the URL. I’m not passing this as a URL parameter, its part of the actual URL. I’m trying to navigate to this URL using the javascript below…

location.href = ‘/Majalin/Admin/eai@oracle_cyberavenue_com_au/MsssMasterRules/%AC%ED%00%05t%00%0CG-POLECONC++t%00%04INS+t%00%02SHt%00%05M0095t%00%05M0005t%00%05M0004sr%00%13java.lang.Character4%8BG%D9k%1A%26x%02%00%01C%00%05valuexp%000’;

This works in all browsers except for IE7, which gives me the ‘invalid procedure or argument’ error.

The problem has something to do with the last section of the URL (ie. the %AC%ED%00%05t%00%0CG-POLECONC++t%00%04INS+t%00%02SHt%00%05M0095t%00%05M0005t%00%05M0004sr%00%13java.lang.Character4%8BG%D9k%1A%26x%02%00%01C%00%05valuexp%000 part ). If I remove this, it works in IE7.

So this will work for me…

location.href = ‘/Majalin/Admin/eai@oracle_cyberavenue_com_au/MsssMasterRules’;

My question is, why does IE7 behave differently from all other browsers and have a problem navigating to the URL when the last component contains URL encoded characters? I’m after a reason apart from IE being rubbish in general.

to post a comment
HTML

3 Comments(s)

Copy linkTweet thisAlerts:
@FangAug 25.2007 — IE7 doesn't like the NULL control character.

Note: the NULL character can be used maliciously in Fx and/or Apache!
Copy linkTweet thisAlerts:
@afryerauthorAug 30.2007 — It turns out that IE7 doesn't like any % in the url UNLESS it is the escaped '%' character itself. So IE7 is happy with '%25' being in the url, but any other string combination using '%' at the start and IE7 will not even try to navigate to the url. This means I had to do a 2 pass encode of the java serialized object just to satisfy IE7. The second encode is necessary to convert the first encodings '%' characters that aren't the encoded '%' already.

So what is the security vulnerability that exists with encoded characters apart from %25?
Copy linkTweet thisAlerts:
@kiwibritAug 30.2007 — It turns out that IE7 doesn't like any % in the url UNLESS it is the escaped '%' character itself. So IE7 is happy with '%25' being in the url, but any other string combination using '%' at the start and IE7 will not even try to navigate to the url. This means I had to do a 2 pass encode of the java serialized object just to satisfy IE7. The second encode is necessary to convert the first encodings '%' characters that aren't the encoded '%' already.

So what is the security vulnerability that exists with encoded characters apart from %25?[/QUOTE]


Is [url=http://mozillalinks.org/wp/2007/07/ies-unescaped-urls-vulnerability-also-present-in-firefox/]this[/url] what you are looking for?
×

Success!

Help @afryer spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.16,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...