Re: <iframe doc="">

On Sun, Jan 24, 2010 at 2:16 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> Or do the standard url-escaping functions built into basically
> all programming languages cover it completely?

The answer, by the way, is no.  I can't speak for other languages, but
PHP's standard url escaping function, urlencode(), will escape spaces
as +.  data: urls require spaces to be encoded as %20.

Test case provided by Philip`: "data:text/html".urlencode("a b")
produces "data:text/html,a+b", which produces a page containing the
text "a+b".

So, for PHP, the most common web-programming language on the internet,
authors would have to write their own url escaping function for data:
urls.  This is a non-trivial matter, especially when unicode is
involved, opening them to the possibility of attack.  Compare to the
srcdocEscape function I wrote earlier:

function srcdocEscape($html) {
  return strtr($html,array("&"=>"&amp;", '"'=>"&quot;"));
}

Trivial and correct.

~TJ

Received on Sunday, 24 January 2010 22:42:34 UTC