- From: Laurens Holst <lholst@students.cs.uu.nl>
- Date: Fri, 09 Jan 2009 10:17:34 +0100
- To: Maurice <maurice@thymeonline.com>
- CC: Boris Zbarsky <bzbarsky@MIT.EDU>, public-html@w3.org
- Message-ID: <4967162E.9020009@students.cs.uu.nl>
Maurice schreef: >> "but it seems that a number of web developers not only produce markup >> like this but notice the requests in their HTTP logs and file bugs >> about it." > > This happened a lot to me recently during the early to mid-development > stages of a few sites. > > The html validator didn’t notify me of an img tag with no src value > and even if it die I wouldn't have cared > because it happened when I was mostly focusing on server side code to > manage content. > So at the time the validity of the html and image sources weren’t my > primary concern. > > I only noticed because when loading that page should result in 1 new > record in the database I got 5 new records instead. > This happened because I had 4 empty img tags in my template. > Each one causing the browser to call the page url 4 additional times :( GET is supposed to be a ‘safe’ method and not create any data, only read — by coding pages in such a way as you describe, you are creating a security vulnerability. So instead of treating the extra requests caused by <img src=""> as a bug, you should’ve considered it a warning. I.e. someone can digg that URL and spam your database. ~Laurens -- Note: New email address! Please update your address book. ~~ Ushiko-san! Kimi wa doushite, Ushiko-san nan da!! ~~ Laurens Holst, student, Utrecht University, the Netherlands Website: www.grauw.nl. Backbase employee; www.backbase.com
Received on Friday, 9 January 2009 09:18:21 UTC