On Tue, Sep 13, 2016 at 10:55 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Mon, Sep 12, 2016 at 9:19 PM, Eric Covener <cove...@gmail.com> wrote: > >> >> For others who might hit a maze of closed/duped bug reports this one >> is active this year: >> https://bugzilla.mozilla.org/show_bug.cgi?id=1064700 >> > > Makes for some disturbing reading... the amount of misinformation > is truly mind-boggling (especially if you chase down the other reports.) > Their aspirational goal of duplicating the mistakes of other the clients > speaks for the wider UA community... sigh. Firefox since 'uncorrected' > their originally correct handling of '[' and ']' to be equally out-of-spec. > > But it leads to a very thorough survey of the queryargs behavior of the > major browser families which is worth reviewing; > https://bugzilla.mozilla.org/show_bug.cgi?id=1152455#c6 > unwise/unsafe aside, review the rest of that comment 6 survey. But a short synopsys... IE fails to encode any byte 7F-FF in the query args (particularly noxious with DEL). Retested and this remains true of IE 12 on Windows 10. So UTF-8 query arg text is transmitted in raw bytes on IE in violation of RFC3986, while all other browsers encode these. All browsers use U+FFFD to map the value NUL. In respect to other discussions about ctrl chars, things get interesting. TAB/LF/CR are simply eaten and not sent to the server, while other CTRLs in all IE query args are been considered invalid, and the browser refuses to transmit these. Trailing CTRLs on all browsers are simply discarded. Given Microsoft's lead here in ignoring or refusing all CTRLs for query args (except DEL which they mishandle anyways) it it starting to look especially safe to reject all %XX control chars when operating in the StrictURI mode (and as a non-default in 2.2/2.4). Thoughts?
