W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2011

[whatwg] Proposal for improved handling of '#' inside of data URIs

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sat, 10 Sep 2011 22:31:14 -0400
Message-ID: <4E6C1D72.6080801@mit.edu>
On 9/10/11 9:04 PM, Nils Dagsson Moskopp wrote:
> Oops, partial misunderstanding. While I did not think of SVG (thanks),
> I wanted to know how often authors have erred here by not properly
> encoding their data, expecting it to work.

Good question.

Given that it used to work in Gecko, WebKit, and Presto (unlike SVG from 
data:, which did not really work in Gecko), it might have been 
reasonably common....

On the other hand, this would presumably mostly be a problem for people 
hand-writing data: URIs.  Any sort of data: URI generator would get this 
right, as you point out.

I suspect that data: URI usage on the web is rare enough so far that 
there are no serious backwards-compat issues.

> Btw: Are there possible security implications of data URI parse changes?

Not so much implications of the "changes", since it's not like UAs 
actually parse them per spec... but yes, a URI like this:

   data:text/html,#<script>doStuff()</script>

is very difficult to sanitize if your URI parser just treats the part 
before '#' as the data while a browser treats everything after the ',' 
as the data.  So there are definitely security implications to the fact 
that the browser behavior is not consistent, either across browsers, 
within a given browser, or with the specs.

-Boris
Received on Saturday, 10 September 2011 19:31:14 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:36 UTC