Re: Warn about unknown parameters

On 01.08.01 at 03:14, Bjoern Hoehrmann <> wrote:

>* Terje Bless wrote:
>>On 31.07.01 at 18:52, Bjoern Hoehrmann <> wrote:
>>>In our german web authoring newsgroup Thomas Mager just wondered why
>There is a ';1' at the end, got that?
>>I'm feeling a little dense at the moment. Could you talk me through the
>>issue step by step, and with big letters and little words? :-)
>We are using ';' as CGI parameter separator, the '1' is interpreted as
>parameter for the Validator instead of one for the .shtml page as it was
>intended. The URI is improperly escaped, but he didn't figure that out.
>So, if we encounter unknown parameters like '1' we should warn about them.
>Known parameters are e.g. 'uri' or 'fragment', those little thingies you
>query with the param() method of the CGI object... ;-)

Yeah, I'm kinda with you so far, but how does that change whether or not
the page is Valid? We ignore unknown parameters completely so the presense
of one shouldn't alter the validity of the results, only that we may be
sending the request (for the page to validate) with one or more parameters
missing. IOW, we aren't validating that page at all.

Waitaminute... We end up requesting a different page and that page happens
to be invalid? So the extra params aren't affecting _our_ behaviour, it's
the _lack_ of params that makes the _validated_ server change _it's_
«behaviour»? IOW, it's not an error in the Validator -- the error lies with
the user failing to escape CGI params -- it's just that it would be a
usefull feature to actually give a warning about it to make the user aware
that s/he needs to escape these characters?

Did I manage to twist my brane around it, or do I need more spoonfeeding?


Received on Tuesday, 31 July 2001 22:47:17 UTC