Giter VIP home page Giter VIP logo

Comments (1)

NickyMeuleman avatar NickyMeuleman commented on August 17, 2024

I knew URL encoding caught some issues when something in a URL might contain reserved characters (like the & character is encoded, because when it shows up in a URL, it's to seperate query params).

But I wanted to know more, so I went digging a bit deeper to understand it better.

This happens because the URL-builder on the frontend uses URL to generate the URL, and it follows rfc3986, which encodes a bunch of special characters (including , and !).

The elventy serverless docs mention URL parameters should be treated as as potentially malicious.
The warning mentions displaying them in templates, but we're not currently doing that.

That being said, the rabbithole I went down didn't provide a clear answer why the , is one of those encoded characters, only that it is. The closest I got was this snippet from the RFC:

Percent-
encoding a reserved character, or decoding a percent-encoded octet
that corresponds to a reserved character, will change how the URI is
interpreted by most applications.

So I don't know what to do with them.
I'd probably stay on the safe side and keep the encoding.
Then decode it in the serverless function.

That way the URL-builder form keeps the user-friendliness of being able to use a ,, and the URL is URI-encoded according to that RFC. I don't consider the URL having encoded pieces as an issue. Anyone that wants to edit it manually still can. If the pattern of percentage encodings in it is too confusing, there's still the URL-builder form.

On the serverless side, the encoded URL needs to turn into decoded pieces.
Maybe eleventy serverless already does that for you.
If not, we can use decodeURIComponent

With the !, the solution seems simpler: stripping it out on the frontend if a command starts with it. (either startsWith("!") and substr or your favourite other method)

edit: the input for show commands uses a regex pattern: ^[\w-]+(,[\w-]+)*$
This means a single command has to be composed of "any letter, digit or underscore" (that's what \w matches).
Else the form submission will be rejected. (so a ! is disallowed in this current configuration)
That's still a frontend check, and should only be considered as a guide for users, not as a guarantee (that's what the validators in the serverless function are for)

from showmy.chat.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.