- From: Peter J Churchyard <pjc@trusted.com>
- Date: Thu, 8 Feb 1996 16:24:24 -0500 (EST)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I think there is room for a GOOD document that truely describes what can appear in an href,src,action value. HTML 2.0 implies href=URI Where URI may be quoted. I often see 'html' with blanks in the URI un-encoded. This is in conflict with the URI spec. More recently, I have seen href="some odd substitution stuff" where the document is obviously going to be processed by the client so that the URI is dynamic. (Seen in some JAVA pages) Now the stuff between the quotes in no way is a URI. So currently I tell users that the original 'html' was broke... What also is needed is a good document describing the correct way to escape all characters that cgi-scripts may want to output as part of a URI. I treat %xx and y as same if xx is hex of y and y is a safe char. That is I translate %xx to y since there is no need for it to be specified as %xx. I have noticed that + is one of the characters that this is done with. As a proxy writer I want the proxy to only pass 'correct' URIs since the proxy allows URIs to be filtered, logged, denied or permitted depending on a number of things. Pete. -- The TIS Network Security Products Group has moved! voice: 301-527-9500 x123 fax: 301-527-0482 2277 Research Boulevard, 5th Floor, Rockville, MD 20850
Received on Thursday, 8 February 1996 13:30:05 UTC