|
|
Posted by M. Trausch on 11/18/05 03:49
Oli Filth wrote:
>
> They aren't represented the same interally at all. A literal hash in a
> URL delimits an HTML reference to a named anchor, whereas %23 does not,
> it's treated as part of the query string in the HTTP GET request; try
> this simple test to demonstrate this:
>
That's very much like saying the character # on the right side of a hex
dump and the '23' on the left side of a hex dump aren't represented
internally at all. It's just a character reference, either way. Just
because one may receive a flag that the other doesn't in one instance or
several instances does not mean that it will in *all* instances.
>
> Where is it defined as "unsafe", except in RFC 1738 where it states that
> it's unsafe to use # unless to delimit a named anchor reference?
>
> Show me an example where it doesn't work...
>
The fact is that the published standard which addresses the issue states
that it's unsafe. It is wise to be cautious and write defensively
towards something you can refer, then away from it, even if it does work
on 98% of the browsers. My point was that you cannot make a blanket
assumption about something when it's already known that it's unsafe and
the behavior of an action is undefined. There are many examples of
things going wrong with code in the past, related only to the fact that
something didn't follow the rules or the standards because at one time
it was safe to do so, and any one of a million particular vendors made a
change that altered the application behavior, yet maintaining the
standard, and guess what breaks? The application.
If you work defensively to start with, you'll never be bit like that in
the future.
The standards that are out there that deal with escaping of characters
also denotes that the application, in many cases, has the right to make
a difference or not, depending on context, and that the safe behavior is
action x and that people (read: programmers) shouldn't rely on the
behavior of something at one time just because something is permitted in
a set of applications.
Bluntly, that's like saying, "Well, I speed through area X every day,
and the X police department never pulls me over," when area X has a
speed limit of 55 MPH. Common sense tells you that it's unsafe (read:
introducing a risk) if you drive faster then that. Just because you
haven't been bitten yet by it, doesn't mean you won't ever be.
- Mike
--
Strip the obvious trash from the header to send e-mail.
Navigation:
[Reply to this message]
|