W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Sun, 24 Jan 2010 16:41:42 -0600
Message-ID: <dd0fbad1001241441n22a25074j3e290b65e7d46184@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Shelley Powers <shelley.just@gmail.com>, Ian Hickson <ian@hixie.ch>, "public-html@w3.org WG" <public-html@w3.org>
On Sun, Jan 24, 2010 at 2:16 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> Or do the standard url-escaping functions built into basically
> all programming languages cover it completely?

The answer, by the way, is no.  I can't speak for other languages, but
PHP's standard url escaping function, urlencode(), will escape spaces
as +.  data: urls require spaces to be encoded as %20.

Test case provided by Philip`: "data:text/html".urlencode("a b")
produces "data:text/html,a+b", which produces a page containing the
text "a+b".

So, for PHP, the most common web-programming language on the internet,
authors would have to write their own url escaping function for data:
urls.  This is a non-trivial matter, especially when unicode is
involved, opening them to the possibility of attack.  Compare to the
srcdocEscape function I wrote earlier:

function srcdocEscape($html) {
  return strtr($html,array("&"=>"&amp;", '"'=>"&quot;"));
}

Trivial and correct.

~TJ
Received on Sunday, 24 January 2010 22:42:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:13 UTC