- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Thu, 02 Aug 2001 04:09:14 +0200
- To: www-validator@w3.org
Hi, second try: There are programs [1] and people who do something evil, they take a template like http://validator.w3.org/check?uri=<uri> and try to get the resulting ressource, the W3C Validator output for the given URI, obviously. The don't escape the <uri> part properly while they must do that since the <uri> is _data_ and may contain e.g. reserved characters like "?" or ";" that may conflict with the resulting URI. Example: http://validator.w3.org/check?uri=http://host/?;foo The characters [/?;] are such reserved characters. Unencoded they are interpreted as part of the whole URI, in our case this means, "foo" is interpreted as CGI parameter since we accept ';' as parameter seperator. The URI should look like http://validator.w3.org/check?uri=http:%2F%2Fhost%2F%3F%3Bfoo To _avoid confusion_ if someone or some tool does this, we should warn about parameters found we don't know, 'foo' in this case. We don't complain about 'uri' since we know this parameter. We can't warn about an improper escaped URI as parameter without reparsing the QUERY_STRING and I don't think this would be a good idea. Warning about unknown parameters is as easy as warn "unknown parameter $_. Did you escape the URI properly?\n" foreach grep { not /^(uri|...|...|...)$/ } $q->params; where ... represent additional known parameters. [1] programs like my Internet Explorer context menu addon found at http://www.bjoernsworld.de/ie/addons.html for the W3C HTML Validator ;-) -- Björn Höhrmann { mailto:bjoern@hoehrmann.de } http://www.bjoernsworld.de am Badedeich 7 } Telefon: +49(0)4667/981028 { http://bjoern.hoehrmann.de 25899 Dagebüll { PGP Pub. KeyID: 0xA4357E78 } http://www.learn.to/quote/
Received on Wednesday, 1 August 2001 22:10:20 UTC