Re: Warn about unknown parameters

Hi,

second try:

There are programs [1] and people who do something evil, they take a
template like

  http://validator.w3.org/check?uri=<uri>

and try to get the resulting ressource, the W3C Validator output for the
given URI, obviously. The don't escape the <uri> part properly while
they must do that since the <uri> is _data_ and may contain e.g.
reserved characters like "?" or ";" that may conflict with the resulting
URI. Example:

  http://validator.w3.org/check?uri=http://host/?;foo

The characters [/?;] are such reserved characters. Unencoded they are
interpreted as part of the whole URI, in our case this means, "foo" is
interpreted as CGI parameter since we accept ';' as parameter seperator.

The URI should look like

  http://validator.w3.org/check?uri=http:%2F%2Fhost%2F%3F%3Bfoo

To _avoid confusion_ if someone or some tool does this, we should warn
about parameters found we don't know, 'foo' in this case. We don't
complain about 'uri' since we know this parameter. We can't warn about
an improper escaped URI as parameter without reparsing the QUERY_STRING
and I don't think this would be a good idea.

Warning about unknown parameters is as easy as

  warn "unknown parameter $_. Did you escape the URI properly?\n"
    foreach grep { not /^(uri|...|...|...)$/ } $q->params;

where ... represent additional known parameters.

[1] programs like my Internet Explorer context menu addon found at
    http://www.bjoernsworld.de/ie/addons.html for the W3C HTML Validator
    ;-)
-- 
Björn Höhrmann { mailto:bjoern@hoehrmann.de } http://www.bjoernsworld.de
am Badedeich 7 } Telefon: +49(0)4667/981028 { http://bjoern.hoehrmann.de
25899 Dagebüll { PGP Pub. KeyID: 0xA4357E78 } http://www.learn.to/quote/

Received on Wednesday, 1 August 2001 22:10:20 UTC