It's long, I know, I'm sorry :( Friday, November 29, 2002, 12:18:10 AM, you wrote:
JA> It's almost this kind of thinking (no offence) that starts getting JA> programs in trouble. I know mailto: URLs won't cause any halm (unless JA> you do permit certain headers to be set), but saying "well, just let JA> this one slip a little" just starts to promote bad coding, and hence JA> security bugs. This doesn't promote bad coding at all, especially in this case. In fact, most IE holes have nothing to do with not following official standards (usually a buffer overflow or something related to security zones and scripting). The cases which are involve proprietary extensions added by MS themselves, not an effort to support ones in wide use made by other people. MS has bad coding practice in general, regardless of context, so trying to point one thing as being the result of it seems a bit silly. The "be lenient in what you accept, strict in what you send" is the standard, widely accepted mentality for 99% software. djb's software is the only software I can think of that doesn't, and it can get away with it because it breaks very little software (if any). If you've ever written server or certain client software you'll realize that there are a) a lot of non-standard clients and servers and b) you have to support them. I've encountered problems like this, thinking it was a bug in my code, only to find out about some sort of non-compliant support I needed to add to allow the software on the other end to function properly (this is especially true on usenet). Apache is a great example of software needing to support non-compliant clients (see http://www.apacheweek.com/issues/01-03-02). It will accept a variety of non-compliant inputs, I know because I've actually tried (you might be surprised what you can get away with). Likewise you could think of OpenSSH which is capable of emulating (non-compliant) bugs in old ssh clients. This is also done with all major browsers to accept non-compliant HTML (very very few webpages have 100% compliant HTML). I wouldn't be surprised if The Bat! accepts messages which are incorrectly encoded (like with MIME). I didn't know this until now, but apparently that "be lenient ..." saying is from the IETF according to that URL, meaning they acknowledge its necessity. JA> Plus the mailto: is follow standard RFC guidelines on JA> correctly formatted URLs (you won't find a single website that can be JA> served with a space in it, the server will convert the names to %20). JA> Break it, and you might end up causing all kinds of issues. This isn't breaking *anything*. This is about accepting a non-compliant input, not producing a non-compliant output. This case is also different than a url with spaces in that the HTTP protocol relies on url having no spaces (because the space is used to delimit a parameter that comes after it). With mailto it can easily be interpreted without confusion. This is not to mention the fact that the non-compliant mailto: is in such wide use that it's become an unofficial standard (the RFC itself was made in 1998, longer after it had already been in use). JA> Saying that other clients (OE in your reference) interpret the mailto: JA> correctly is incorrect. RFCs say, you *must* convert the special JA> characters to their hex equivalent. Reading it in any other ways is JA> wrong, no matter how you look at it. It may be wrong from the standpoint of the RFC, but from a intuitive standpoint (that of everyone who does it) it makes perfect sense. It's not at all difficult to interpret as it was intended by the author. JA> I think RitLabs have done the correct thing in following the RFCs JA> correctly. The more compliance you have with standards, the more JA> likely you are to do well. Start changing things, or flexing the rules JA> slightly, and you end up having all kinds of problems. Actually it tends to be the opposite. If you don't support non-compliant stuff you start breaking clients/servers and data ends up getting misrepresented/misdisplayed. If software writers, especially those who make web browsers didn't support non-compliant stuff many pages wouldn't display quite right or not at all (yes, even Opera does this). In fact, if you are so strict as to accept only perfect compliance people probably would stop using your browser because they would be limited to only those websites who bothered to use the w3c validater (which is very few sadly). Besides, it IS just mailto, you really aren't hurting anything. ________________________________________________ Current version is 1.61 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html