Re: [Uri-review] Request for review of "ab:" URI scheme

[Bjoern Hoehrmann <derhoermi@gmx.net>]

* Barry Leiba wrote:
>[...]

(I, or others, will look at this when Alexey had a chance to respond.)

>> The draft needs to point out very clearly that implementations must,
>> if they process non-internal URIs, properly implement URI processing,
>> in particular %xx-escapes; right now the draft can easily be misread
>> to suggest a literal string comparison against "ab:default" is all
>> that is necessary for conformance.
>
>Interesting.  A reference to RFC 3986 isn't enough for that?  (Of
>course, I'd be happy to add such wording... but how much else do folks
>need to be told about how to use URIs, and why isn't that in a central
>place?)

The problem is that you are enumerating values like "ab:default" and
"ab:friends". Since it does not really make sense to write, instead,
"ab:%64efault", or, for that matter, "AB:default", I do think it is
important to re-inforce that this is URI processing and not keyword
matching. It would be well-defined without the reminder, but there's
little reason to expect implementers to get this right on their own.

(If escaping rules were second nature to everybody, there would be,
say, no SQL injection attacks, no XSS attacks, and so on.)

(I would probably make an example with something like "AB:%64efAulT"
and put up a note saying the example demonstrates that the scheme
name is case-insensitive and that escapes must be processed properly;
I am not sure if the draft defines if "default" is case-sensitive.)
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/