81Views5Replies

Author Options:

Username breaks some links Answered

Picture of

I have discovered that our username breaks certain links on the site although it presumably passed input validation when we set it up. First locate any use of the username such as on the Instructable here: https://www.instructables.com/id/A-Quick-Laser-Cut-Sailing-Trophy/

The link has been encoded as

https://www.instructables.com/member/Sean%2BJames/

which is not being processed correctly resulting in the 400 error

This has been tested on Firefox on Mac, Chrome on Mac, Firefox on Windows.  I know it is not a browser problem but I thought I would do a bit of testing.

5 Replies

user
kelseymh (author)2012-09-04

The plus character is special -- it is how the HTTP protocol encodes a space (blank) in a URL. The simplest, and most likely to be successful, solution is for you to change your username to "Sean_James" or "Sean-James". Don't use any of "#", "&", "+", "/" special characters.

Select as Best AnswerUndo Best Answer

user
Sean+James (author)kelseymh2012-09-04

They have encoded the "+" correctly as &2B. The problem is that somewhere within the web tier they are not processing the URI correctly almost certainly as part of SQL injection protection. I have no real issue with changing the userid but there should be validation to catch this, or better back end validation.

Select as Best AnswerUndo Best Answer

user
kelseymh (author)Sean+James2012-09-04

Ah, ha! The "%xx" encoding is not an "escape sequence". It does not replace the meaning of special characters.

For example, the two (partial) URLs /~kelsey/index.html and /%7Ekelsey/index.html are required by the RFC-1866 spec to refer to exactly the same files on the server.

In your case, both Sean+James and Sean%2BHames both refer to the same path on the I'bles server, namely, a file or directory named "Sean James" with a space in the middle of the filename.

The bottom line is that you just cannot use any of the "reserved characters" as part of a username: no spaces, no "+", "#", "?", "/", etc.

Select as Best AnswerUndo Best Answer

user
Kiteman (author)2012-09-04

Send an email to service@instructables.com and ask them to change it to something else (maybe "Sean_and_James"?).

Select as Best AnswerUndo Best Answer

user
Jayefuu (author)2012-09-04

That's really annoying, I want to look at your profile!

Select as Best AnswerUndo Best Answer