Re: [whatwg/url] Editorial: clarify the types of strings algorithms take and return (PR #719) from Domenic Denicola on 2022-12-05 (public-webapps-github@w3.org from December 2022)

From: Domenic Denicola <notifications@github.com>
Date: Sun, 04 Dec 2022 22:01:41 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/pull/719/review/1203889122@github.com>

@domenic approved this pull request.

Mostly seems good, but a few suggestions for how it could be tighter in the face of external specs feeding bad values in to un-guarded algorithms that call the newly-guarded ones.

> @@ -175,8 +175,8 @@ bytes that are not <a>ASCII bytes</a> might be insecure and is not recommended.
  <li><p>Return <var>output</var>.
 </ol>
 

While checking call sites I noticed that https://url.spec.whatwg.org/#ref-for-string-percent-decode and https://url.spec.whatwg.org/#ref-for-string-percent-decode%E2%91%A2 link to the wrong "percent-decode".

> @@ -289,8 +289,8 @@ optional boolean <var>spaceAsPlus</var> (default false), run these steps:
 of running <a for=string>percent-encode after encoding</a> with <a for=/>UTF-8</a>,
 <var>codePoint</var> as a <a for=/>string</a>, and <var>percentEncodeSet</var>.
 
-<p>To <dfn export for=string>UTF-8 percent-encode</dfn> a <a for=/>string</a> <var>input</var> using
-a <var>percentEncodeSet</var>, return the result of running
+<p>To <dfn export for=string>UTF-8 percent-encode</dfn> a <a for=/>scalar value string</a>
+<var>input</var> using a <var>percentEncodeSet</var>, return the result of running
 <a for=string>percent-encode after encoding</a> with <a for=/>UTF-8</a>, <var>input</var>, and
 <var>percentEncodeSet</var>.

The call site at https://url.spec.whatwg.org/#ref-for-string-percent-encode-after-encoding could technically be fed a surrogate code point. Maybe it should have an assert to prevent anyone from doing that.

Similarly I don't believe there's any requirement that the input to https://url.spec.whatwg.org/#ref-for-string-percent-encode-after-encoding%E2%91%A5 consist of tuples which contain scalar value strings.

> @@ -706,8 +706,8 @@ to be distinguished.
 <h3 id=host-parsing>Host parsing</h3>
 
 <p>The <dfn export id=concept-host-parser lt="host parser|host parsing">host parser</dfn> takes a
-string <var>input</var> with an optional boolean <var>isNotSpecial</var> (default false), and then
-runs these steps:
+<a>scalar value string</a> <var>input</var> with an optional boolean <var>isNotSpecial</var>
+(default false), and then runs these steps:

You may want to propogate this to https://html.spec.whatwg.org/#is-a-registrable-domain-suffix-of-or-is-equal-to

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/pull/719#pullrequestreview-1203889122
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/pull/719/review/1203889122@github.com>

Received on Monday, 5 December 2022 06:01:54 UTC