W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Thomas Broyer <t.broyer@ltgt.net>
Date: Sun, 24 Jan 2010 23:55:19 +0100
Message-ID: <a9699fd21001241455m11822214vc3a033d314b8b397@mail.gmail.com>
To: "Tab Atkins Jr." <jackalmage@gmail.com>
Cc: "public-html@w3.org WG" <public-html@w3.org>
On Sun, Jan 24, 2010 at 11:41 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> On Sun, Jan 24, 2010 at 2:16 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
>> Or do the standard url-escaping functions built into basically
>> all programming languages cover it completely?
>
> The answer, by the way, is no.  I can't speak for other languages, but
> PHP's standard url escaping function, urlencode(), will escape spaces
> as +.  data: urls require spaces to be encoded as %20.
>
> Test case provided by Philip`: "data:text/html".urlencode("a b")
> produces "data:text/html,a+b", which produces a page containing the
> text "a+b".
>
> So, for PHP, the most common web-programming language on the internet,
> authors would have to write their own url escaping function for data:
> urls.  This is a non-trivial matter, especially when unicode is
> involved, opening them to the possibility of attack.  Compare to the
> srcdocEscape function I wrote earlier:
>
> function srcdocEscape($html) {
>  return strtr($html,array("&"=>"&amp;", '"'=>"&quot;"));
> }
>
> Trivial and correct.

Correct me if I'm wrong, but PHP's rawurlencode() should do what's
needed here (otherwise, "fixing" urlencode() should be as easy as
str_replace('+', '%20', urlencode($html)); because urlencode() should
have encoded pluses into %2B already)

-- 
Thomas Broyer
/tɔ.ma.bʁwa.je/
Received on Sunday, 24 January 2010 22:56:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:00 GMT