W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Sun, 24 Jan 2010 17:19:15 -0600
Message-ID: <dd0fbad1001241519h3c8563adg9649cf63ae04f5c@mail.gmail.com>
To: Thomas Broyer <t.broyer@ltgt.net>
Cc: "public-html@w3.org WG" <public-html@w3.org>
On Sun, Jan 24, 2010 at 4:55 PM, Thomas Broyer <t.broyer@ltgt.net> wrote:
> On Sun, Jan 24, 2010 at 11:41 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
>> On Sun, Jan 24, 2010 at 2:16 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
>>> Or do the standard url-escaping functions built into basically
>>> all programming languages cover it completely?
>> The answer, by the way, is no.  I can't speak for other languages, but
>> PHP's standard url escaping function, urlencode(), will escape spaces
>> as +.  data: urls require spaces to be encoded as %20.
>> Test case provided by Philip`: "data:text/html".urlencode("a b")
>> produces "data:text/html,a+b", which produces a page containing the
>> text "a+b".
>> So, for PHP, the most common web-programming language on the internet,
>> authors would have to write their own url escaping function for data:
>> urls.  This is a non-trivial matter, especially when unicode is
>> involved, opening them to the possibility of attack.  Compare to the
>> srcdocEscape function I wrote earlier:
>> function srcdocEscape($html) {
>>  return strtr($html,array("&"=>"&amp;", '"'=>"&quot;"));
>> }
>> Trivial and correct.
> Correct me if I'm wrong, but PHP's rawurlencode() should do what's
> needed here (otherwise, "fixing" urlencode() should be as easy as
> str_replace('+', '%20', urlencode($html)); because urlencode() should
> have encoded pluses into %2B already)

Nah, you're right.  It's just yet another function to remember to use,
among the plethora of similar-but-different functions in PHP.  I'd
forgotten about it.

Received on Sunday, 24 January 2010 23:20:07 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:57 UTC