W3C home > Mailing lists > Public > www-validator@w3.org > August 2001

Re: Warn about unknown parameters

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Thu, 02 Aug 2001 04:09:14 +0200
To: www-validator@w3.org
Message-ID: <rfchmts4sbm2pfnnn7mb141h9lq85caqua@4ax.com>

second try:

There are programs [1] and people who do something evil, they take a
template like


and try to get the resulting ressource, the W3C Validator output for the
given URI, obviously. The don't escape the <uri> part properly while
they must do that since the <uri> is _data_ and may contain e.g.
reserved characters like "?" or ";" that may conflict with the resulting
URI. Example:


The characters [/?;] are such reserved characters. Unencoded they are
interpreted as part of the whole URI, in our case this means, "foo" is
interpreted as CGI parameter since we accept ';' as parameter seperator.

The URI should look like


To _avoid confusion_ if someone or some tool does this, we should warn
about parameters found we don't know, 'foo' in this case. We don't
complain about 'uri' since we know this parameter. We can't warn about
an improper escaped URI as parameter without reparsing the QUERY_STRING
and I don't think this would be a good idea.

Warning about unknown parameters is as easy as

  warn "unknown parameter $_. Did you escape the URI properly?\n"
    foreach grep { not /^(uri|...|...|...)$/ } $q->params;

where ... represent additional known parameters.

[1] programs like my Internet Explorer context menu addon found at
    http://www.bjoernsworld.de/ie/addons.html for the W3C HTML Validator
Björn Höhrmann { mailto:bjoern@hoehrmann.de } http://www.bjoernsworld.de
am Badedeich 7 } Telefon: +49(0)4667/981028 { http://bjoern.hoehrmann.de
25899 Dagebüll { PGP Pub. KeyID: 0xA4357E78 } http://www.learn.to/quote/
Received on Wednesday, 1 August 2001 22:10:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 14:17:30 UTC