Loading...

Posts for the month of January 2008

URL Encoding and Quoting

I've just committed a change to the Trac [[Image]] macro that allows more flexible input for URL locations (see trac:changeset:6413).

Having to accept and handle a wider range of input made me start thinking about the security implications and how this could be abused. That got me into a vicious circle of pin-pointing possibilities, how and what to encode and quote, and how to handle some inconsistencies between the various inputs and types. Not good - and way out of scope for something that in theory was a simple change to the macro.

I won't bore with details here, but instead skip right to the conclusion:

  • Quoting of URLs is done by browsers automagically, and for HTML it is generally not needed anymore.
  • HTML escaping all content is plenty enough - it will ensure that a double quote (") in a URL will show as " and not actually close the attribute.

Knowing that, the implementation is as simple as just taking the input and sending it off to rendering. However, it turned out that the Trac url-builder (trac.web.href.Href) quotes the input, so the simple solution was to unquote it and just let HTML escaping look after it - as done default by Genshi used by Trac for rendering.

In the end, the most 'complicated' line turned out as simple as it gets:

        # use href, but unquote to allow args (use default html escaping)
        raw_url = url = desc = unquote(formatter.href(filespec))

Learned something (again).

  • Posted: 2008-01-24 13:54 (Updated: 2008-01-26 00:31)
  • Categories: trac
  • Comments (0)

Odd Simon Simonsen

Hi there!

I work at BV Network AS, and I develop and maintain CodeResort. If you are looking for news related to the service, you should head over to the Official CodeResort blog instead - I'll be posting there for anything related to using the service.

My own personal blog (this one) will be more 'behind the scenes', with topics that arise in my day-to-day work, the things I do, stuff I read or discover, and from the interactions I have with various people and projects that provides the foundation of this service. I am a member of the Trac development team, and I also do work related to most of the plugins we use here - including some that are developed for CodeResort and open sourced. I also maintain some CodeResort software in our open project.

Thanks for visiting, and hope you will find useful things here! Oh, and if have an opinion on a topic, do feel free to comment (login required).

Enjoy!


:::simon

  • Posted: 2008-01-18 03:18 (Updated: 2012-08-31 02:35)
  • Categories: about
  • Comments (0)