W3C home > Mailing lists > Public > public-html@w3.org > January 2009

Re: img issue: should we restrict the URI

From: Laurens Holst <lholst@students.cs.uu.nl>
Date: Fri, 09 Jan 2009 10:17:34 +0100
Message-ID: <4967162E.9020009@students.cs.uu.nl>
To: Maurice <maurice@thymeonline.com>
CC: Boris Zbarsky <bzbarsky@MIT.EDU>, public-html@w3.org
Maurice schreef:
>> "but it seems that a number of web developers not only produce markup 
>> like this but notice the requests in their HTTP logs and file bugs 
>> about it."
>
> This happened a lot to me recently during the early to mid-development 
> stages of a few sites.
>
> The html validator didn’t notify me of an img tag with no src value 
> and even if it die I wouldn't have cared
> because it happened when I was mostly focusing on server side code to 
> manage content.
> So at the time the validity of the html and image sources weren’t my 
> primary concern.
>
> I only noticed because when loading that page should result in 1 new 
> record in the database I got 5 new records instead.
> This happened because I had 4 empty img tags in my template.
> Each one causing the browser to call the page url 4 additional times :(

GET is supposed to be a ‘safe’ method and not create any data, only read 
— by coding pages in such a way as you describe, you are creating a 
security vulnerability. So instead of treating the extra requests caused 
by <img src=""> as a bug, you should’ve considered it a warning.

I.e. someone can digg that URL and spam your database.

~Laurens

-- 
Note: New email address! Please update your address book.

~~ Ushiko-san! Kimi wa doushite, Ushiko-san nan da!! ~~
Laurens Holst, student, Utrecht University, the Netherlands
Website: www.grauw.nl. Backbase employee; www.backbase.com



Received on Friday, 9 January 2009 09:18:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:00 UTC