[Webkit-unassigned] [Bug 63267] WebSockets constructor erroneously unescapes forward slashes in URLs
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 6 12:44:58 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=63267
--- Comment #5 from Darin Fisher (:fishd, Google) <fishd at chromium.org> 2011-07-06 12:44:58 PST ---
Brett Wilson (brettw at chromium.org) is actually the original author of KURLGoogle.cpp. I just helped upstream it.
It is almost never a good idea for client software to unescape URLs. The only exception I know of is when you want to display an URL to the user.
It is in my opinion a bug that KURL unescapes URL segments. You should always echo what you get back to the server and let the server deal with the unescaping. Mozilla used to unescape locally in some cases, and in almost each case, it resulted in a security bug. Eventually, Mozilla moved to a model of never unescaping unless it was for UI purposes. Chrome was designed with a similar principle.
I fully support eliminating the unescaping code from KURL, although I'm not certain that it will not have unwanted side-effects for applications embedding WebKit. They may need to do their own unescaping at the UI level, which they may have been counting on WebKit doing for them.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list