Re: [whatwg/url] Record whether the URL parser removed newlines. (#284)

> We'd have to have a pre-processing step in various callsites in HTML (basically wrapping the URL parsing call with something that holds a variable), which is certainly doable, but strange.

> As written here, the flag isn't exposed to the web

I think it might be good to point this out in the spec, and further elaborate on the nature of this flag as not relevant for the general URL parsing behavior that the URL Standard mostly covers. I would phrase it as something like this:

> NOTE: the potentially-dangling-markup flag is stored for later use by the HTML Standard to mitigate certain attack scenarios. Conceptually, it is not really a part of the URL record type, but is kept here for convenience. An alternate specification or implementation strategy would be that all invocations of the URL parser in HTML first scan the input string for the appropriate patterns, before performing the normal URL parsing algorithm. Implementations that do not plan to implement the relevant parts of the HTML Standard can ignore this flag and parts of the parsing algorithm that set it.

However in writing the above I realize I am confused. Is this a mitigation applied to Fetch, or to HTML? I think the PRs apply it to Fetch, right? (Unlike my above paragraph states.) Which means that attempting to do

```js
new WebSocket(new URL(`wss://example.com/foo\nbar>baz`).href);
```

will fail, right? Are there tests for this (and for other non-HTML-related URL parsing behaviors)? Is this even desirable? Maybe the specification layering where HTML wraps specific invocations of the URL parser would be better after all...

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/pull/284#issuecomment-303367119

Received on Tuesday, 23 May 2017 11:16:32 UTC