MetaRefresh URI does not get sanitized #177

joallard opened this Issue Dec 21, 2011 · 5 comments


None yet
3 participants

I have been in the situation where the server will redirect me to an unsanitized URI on a meta-refresh.

in /lib/mechanize/page/meta_refresh.rb:40

class Mechanize::Page::MetaRefresh

def self.parse content, base_uri
  return unless content =~ CONTENT_REGEXP

  delay, refresh_uri = $1, $3

  dest = base_uri
  dest += refresh_uri if refresh_uri     # Oops!

  return delay, dest

The referenced line will raise URI::InvalidURIError if refresh_uri contains illegal symbols (such as <). I don't quite know where the sanitize should be done though.


drbrain commented Dec 21, 2011

I'll fix the mechanize to match the behavior in Safari which is to convert /funky?<b>Welcome<%2Fb> to /funky?%3Cb%3EWelcome%3C%2Fb%3E.

PS: In the future, please come straight here and file a bug, even if you think it might not be a bug. I would have fixed this for mechanize 2.1.

@drbrain drbrain added a commit that referenced this issue Dec 22, 2011

@drbrain drbrain In meta refresh, escape special characters in the URI before parsing.…
… % is excluded because Safari doesn't escape it. Issue #177

drbrain closed this Dec 22, 2011

Sorry I didn't come here earlier, I didn't quite know what to do with the issue.

anikkar commented Feb 4, 2012

Do you know when the next version of mechanize will be released; can I point to a pre-release gem?

Would really like to take advantage of this fix.

Or is there an easy way to monkey patch it?


drbrain commented Feb 4, 2012

I released it today.

anikkar commented Feb 4, 2012


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment