On 09/13/2016 08:02 PM, William A Rowe Jr wrote: > On Tue, Sep 13, 2016 at 10:55 AM, William A Rowe Jr <wr...@rowe-clan.net > <mailto:wr...@rowe-clan.net>> wrote: > > On Mon, Sep 12, 2016 at 9:19 PM, Eric Covener <cove...@gmail.com > <mailto:cove...@gmail.com>> wrote: > > > For others who might hit a maze of closed/duped bug reports this one > is active this year: > https://bugzilla.mozilla.org/show_bug.cgi?id=1064700 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1064700> > > > Makes for some disturbing reading... the amount of misinformation > is truly mind-boggling (especially if you chase down the other reports.) > Their aspirational goal of duplicating the mistakes of other the clients > speaks for the wider UA community... sigh. Firefox since 'uncorrected' > their originally correct handling of '[' and ']' to be equally > out-of-spec. > > But it leads to a very thorough survey of the queryargs behavior of the > major browser families which is worth reviewing; > https://bugzilla.mozilla.org/show_bug.cgi?id=1152455#c6 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1152455#c6> > > > unwise/unsafe aside, review the rest of that comment 6 survey. > But a short synopsys... > > IE fails to encode any byte 7F-FF in the query args (particularly noxious > with DEL). Retested and this remains true of IE 12 on Windows 10. > So UTF-8 query arg text is transmitted in raw bytes on IE in violation > of RFC3986, while all other browsers encode these. > > All browsers use U+FFFD to map the value NUL. In respect to other > discussions about ctrl chars, things get interesting. TAB/LF/CR are > simply eaten and not sent to the server, while other CTRLs in all IE > query args are been considered invalid, and the browser refuses to > transmit these. Trailing CTRLs on all browsers are simply discarded. > > Given Microsoft's lead here in ignoring or refusing all CTRLs for query > args (except DEL which they mishandle anyways) it it starting to look > especially safe to reject all %XX control chars when operating in the > StrictURI mode (and as a non-default in 2.2/2.4). Thoughts?
Sounds sensible. Thanks for your hard work on that topic Bill. Regards RĂ¼diger
