Next message: Terje Bless: "Re: Warn about unknown parameters"
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: www-validator@w3.org
Date: Thu, 02 Aug 2001 04:09:14 +0200
Message-ID: <rfchmts4sbm2pfnnn7mb141h9lq85caqua@4ax.com>
Subject: Re: Warn about unknown parameters
Hi,
second try:
There are programs [1] and people who do something evil, they take a
template like
http://validator.w3.org/check?uri=>
and try to get the resulting ressource, the W3C Validator output for the
given URI, obviously. The don't escape the <uri> part properly while
they must do that since the <uri> is _data_ and may contain e.g.
reserved characters like "?" or ";" that may conflict with the resulting
URI. Example:
http://validator.w3.org/check?uri=http://host/?;foo
The characters [/?;] are such reserved characters. Unencoded they are
interpreted as part of the whole URI, in our case this means, "foo" is
interpreted as CGI parameter since we accept ';' as parameter seperator.
The URI should look like
http://validator.w3.org/check?uri=http:%2F%2Fhost%2F%3F%3Bfoo
To _avoid confusion_ if someone or some tool does this, we should warn
about parameters found we don't know, 'foo' in this case. We don't
complain about 'uri' since we know this parameter. We can't warn about
an improper escaped URI as parameter without reparsing the QUERY_STRING
and I don't think this would be a good idea.
Warning about unknown parameters is as easy as
warn "unknown parameter $_. Did you escape the URI properly?\n"
foreach grep { not /^(uri|...|...|...)$/ } $q->params;
where ... represent additional known parameters.
[1] programs like my Internet Explorer context menu addon found at
http://www.bjoernsworld.de/ie/addons.html for the W3C HTML Validator
;-)
--
Björn Höhrmann { mailto:bjoern@hoehrmann.de } http://www.bjoernsworld.de
am Badedeich 7 } Telefon: +49(0)4667/981028 { http://bjoern.hoehrmann.de
25899 Dagebüll { PGP Pub. KeyID: 0xA4357E78 } http://www.learn.to/quote/