It seems to me it's also storing the return_url in the query... sometimes more than once. I'm not sure this is useful, and it seems to lead to some rather large cookies that are causing my browser to choke. Also, there are other characters besides '-' that are allowed in field names; parsepr has a similar issue with not allowing other characters (if gnats allows them, gnasweb should). I'm not 100% sure what characters are allowed - I know > and : aren't, because they mark the beginning and end of a field name in the flat file. I had someone else set up a database that I took over, and he used + and /, which seem to be valid as far as gnats is concerned. So I changed your fix to:
$query_string =~ s/[\w\-\+\/]+=;//g;
# strip the return_url from the cookie - is it always at the end?
$query_string =~ s/(;return_url=).*$//g;
$query_string =~ s/(\%3Breturn_url\%3D).*$//g;
I'm sure I still don't have every case when it comes to allowed characters in the field names. If you haven't used anything except - and \w characters, you're probably fine. And I'm not sure whether I need both statements to strip the return_url - I couldn't figure out how it was getting passed to the store_query subroutine - I think it might be different depending on whether it got to the display_query_results screen from a stored query or a user-selected query.
Good points. I think I'll hold off on doing anything about the
return_url, because I'm still hoping to get rid of that mechanism
Do note that the regexp "(\w|-)" appears several times in
gnatsweb.pl, not just the one place I changed.