[Webkit-unassigned] [Bug 20559] decodeURLEscapeSequences will unescape NULLs and will mangle not encodable characters

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 28 18:35:14 PDT 2008 

https://bugs.webkit.org/show_bug.cgi?id=20559





------- Comment #4 from darin at apple.com  2008-08-28 18:35 PDT -------
Can we create a test that demonstrates these problems? Do these affect real
websites?

We should make fixes based on effects rather than on critique of the code. I'd
like to see us start with a test case. And it would be really great to have an
example of at least one website that will work better if we make the code
change.

I'm not fully convinced by the "embedded null characters are dangerous"
argument. We don't have code that treats null characters as a special case, and
I don't find the fact that other browsers had code like that to be a compelling
argument. I'm more convinced by the "be consistent with IE" argument, though,
so it may not be important what I think about the other argument. But also, you
can change my mind if I'm wrong.

> This is actually a pretty big problem. If I'm on a Japanese page with a path
> encoded as ShiftJIS (escaped), if that page requests
> document.location.pathname, it will be wrong.

I'd like to understand exactly what "wrong" means here. We do need to match the
behavior of other browsers.

But as you probably know, in general URLs don't necessarily correspond to a
Unicode string. They are sent, byte for byte, to the server, and the server
responds, so even URLs with invalid %-escape sequences might work on some sites
and servers.

So I'm not sure exactly what the right behavior is for JavaScript functions
that return pieces of URLs, since JavaScript strings are UTF-16, and not a
stream of bytes. I'd need to see some evidence of what behavior is on the web
and what websites expect in addition to compelling arguments about how things
should work.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list