Re: <iframe doc="">

On Sun, Jan 24, 2010 at 4:55 PM, Thomas Broyer <t.broyer@ltgt.net> wrote:
> On Sun, Jan 24, 2010 at 11:41 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
>> On Sun, Jan 24, 2010 at 2:16 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
>>> Or do the standard url-escaping functions built into basically
>>> all programming languages cover it completely?
>>
>> The answer, by the way, is no.  I can't speak for other languages, but
>> PHP's standard url escaping function, urlencode(), will escape spaces
>> as +.  data: urls require spaces to be encoded as %20.
>>
>> Test case provided by Philip`: "data:text/html".urlencode("a b")
>> produces "data:text/html,a+b", which produces a page containing the
>> text "a+b".
>>
>> So, for PHP, the most common web-programming language on the internet,
>> authors would have to write their own url escaping function for data:
>> urls.  This is a non-trivial matter, especially when unicode is
>> involved, opening them to the possibility of attack.  Compare to the
>> srcdocEscape function I wrote earlier:
>>
>> function srcdocEscape($html) {
>>  return strtr($html,array("&"=>"&amp;", '"'=>"&quot;"));
>> }
>>
>> Trivial and correct.
>
> Correct me if I'm wrong, but PHP's rawurlencode() should do what's
> needed here (otherwise, "fixing" urlencode() should be as easy as
> str_replace('+', '%20', urlencode($html)); because urlencode() should
> have encoded pluses into %2B already)

Nah, you're right.  It's just yet another function to remember to use,
among the plethora of similar-but-different functions in PHP.  I'd
forgotten about it.

~TJ

Received on Sunday, 24 January 2010 23:20:07 UTC