(feat) Support semicolon as a param separator #71
Conversation
Per W3C recommendation ';' should be supported as a param separator. See: https://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2 This helps solve an external issue where URLs with entities are being munged
|
This is a very old document. That text is no longer present in the most recent spec: https://url.spec.whatwg.org/#concept-urlencoded I would recommend you fix the code where you generated this and encode the special characters properly. Erlydtl will do that automatically for example. Note that not encoding them can lead to XSS or worse. I doubt there's too much utility to having this upstream. |
|
It really is more about being able to support params with ';' separators. In many cases we're dealing with URLs where params are added by users we cannot control. When an This is not really about If we support ';' sep in cowboy we can then issue links as "?param1=value1;note=value" which does not suffer the same potential consequences As far as I can tell from reading the RFC3986 and other references, ';' is a reserved character available for use as a separator. |
|
I'm not sure I understand. To give a common example:
There isn't a lot of cases where this wouldn't work. Maybe if your input was HTML, but then what you really need is an HTML sanitizer library to sanitize the input. I just don't see the use case, you'll need to be more specific. And assuming there is one, the current implementation should probably have a |
|
Use case: User A adds a link to the system for UserB to use http://example.com/?a=1©count=25 (the parameters are not fixed and could be anything) User B gets the link in their browser as text: User copy/pastes that link into their code That link is then clicked by one of their visitors and the visitor hits our server Since we've lost the It seems this is true for a large number HTML entities which can be interpreted through In short, it's really a browser issue causing loss of fidelity with text thanks to it's automatic parsing (even when what you'd think would be a required terminating ';' for the entity is missing) By supporting the ';' separator we can alleviate the issue (somewhat) as the rendered link would no longer be seen to contain html entities I agree with the |
That's what I'm saying. There's no reason for the browser to interpret it as an entity if the server is sending the data properly. If you mean text as in a text file, the media type needs to be If you mean text as in a part of an HTML file, then you need to encode the special characters. An example encode function could be: html_encode(Text) ->
<<case C of
$& -> <<"&">>;
$< -> <<"<">>;
$> -> <<">">>;
$" -> <<""">>;
$' -> <<"'">>;
_ -> <<C/utf8>>
end || <<C/utf8>> <= Text>>.Not encoding data coming from external sources properly creates security flaws like XSS and others. |
|
I'm going to agree with you here. Think I was barking up the wrong tree. We'll should just have to add formatters for different outputs to solve the issue. |
Per W3C recommendation ';' should be supported as a param separator.
See: https://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2
This helps solve an external issue where URLs with entities are being munged
For example:
"?param1=value1¬e=value" gets converted to "?param1=value1¬e=value"
in browser display