W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] URL query component

From: And Clover <and-py@doxdesk.com>
Date: Fri, 20 Apr 2012 12:37:10 +0000
Message-ID: <4F915876.50208@doxdesk.com>
On 2012-04-20 09:15, Anne van Kesteren wrote:
> Currently browsers differ for what happens when the code point cannot be encoded.
> What Gecko does [?%C2%A3] makes the resulting data impossible to interpret.
> What WebKit does [?%26%23163%3B] is consistent with form submission. I like it.

I do not! It makes the data impossible to recover just as Gecko does... 
in fact worse, because at least Gecko preserves ASCII. With the WebKit 
behaviour it becomes impossible to determine from an pure ASCII string 
'&#163;' whether the user really typed '?' or '&#163;' into the input field.

It has the advantage of consistency with the POST behaviour, but that 
behaviour is an unpleasant legacy hack which encourages a 
misunderstanding of HTML-escaping that promotes XSS vulns. I would not 
like to see it spread any further than it already has.

cheers,

-- 
And Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/
gtalk:chat?jid=bobince at gmail.com
Received on Friday, 20 April 2012 05:37:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT