- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Sun, 24 Jan 2010 16:41:42 -0600
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Shelley Powers <shelley.just@gmail.com>, Ian Hickson <ian@hixie.ch>, "public-html@w3.org WG" <public-html@w3.org>
On Sun, Jan 24, 2010 at 2:16 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> Or do the standard url-escaping functions built into basically
> all programming languages cover it completely?
The answer, by the way, is no. I can't speak for other languages, but
PHP's standard url escaping function, urlencode(), will escape spaces
as +. data: urls require spaces to be encoded as %20.
Test case provided by Philip`: "data:text/html".urlencode("a b")
produces "data:text/html,a+b", which produces a page containing the
text "a+b".
So, for PHP, the most common web-programming language on the internet,
authors would have to write their own url escaping function for data:
urls. This is a non-trivial matter, especially when unicode is
involved, opening them to the possibility of attack. Compare to the
srcdocEscape function I wrote earlier:
function srcdocEscape($html) {
return strtr($html,array("&"=>"&", '"'=>"""));
}
Trivial and correct.
~TJ
Received on Sunday, 24 January 2010 22:42:34 UTC