Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow template substitution in the path of the URL template #33

Merged
merged 2 commits into from
Feb 23, 2018
Merged

Disallow template substitution in the path of the URL template #33

merged 2 commits into from
Feb 23, 2018

Conversation

mgiuca
Copy link
Collaborator

@mgiuca mgiuca commented Feb 9, 2018
edited by pr-preview bot
Loading

This prevents a path escape if the share data includes "..". While it is a bit restrictive, we expect templates to mostly be in the query or fragment part of a URL.

Closes #30.

Preview | Diff

@mgiuca mgiuca requested a review from marcoscaceres February 9, 2018 00:32
@mgiuca
Copy link
Collaborator Author

mgiuca commented Feb 9, 2018

@marcoscaceres and @ericwilligers PTAL.

There's a follow-up to this in mgiuca/web-share-target/parse-at-parse-time, which changes the processing and validation to take place at manifest load time. But I separated this change out.

marcoscaceres
marcoscaceres approved these changes Feb 9, 2018
View reviewed changes
Copy link
Member

@marcoscaceres marcoscaceres left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I guess the only thing would be to allow "replace placeholders" to do the null check, and just return an empty string. That would remove a few ifs, but no big deal.

@mgiuca mgiuca mentioned this pull request Feb 13, 2018
Merged
@mgiuca mgiuca force-pushed the no-placeholders-in-path branch from 9951f1a to 840922d Compare February 16, 2018 06:04
@mgiuca mgiuca force-pushed the no-placeholders-in-path branch from 840922d to 9883de6 Compare February 23, 2018 03:51
@mgiuca
Copy link
Collaborator Author

mgiuca commented Feb 23, 2018

I guess the only thing would be to allow "replace placeholders" to do the null check, and just return an empty string. That would remove a few ifs, but no big deal.

I thought about this a bit, and decided not to. Rationale: This would make the "replace placeholders" algorithm take a maybe-null value and return a maybe-null value. It would return null if-and-only-if the input is null. I generally prefer that functions do not take and return null values, and if the only reason to return null is in case the input is null, I prefer that the caller simply check beforehand. (As a general programming principle.)

@mgiuca mgiuca merged commit a187582 into w3c:master Feb 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcoscaceres marcoscaceres marcoscaceres approved these changes

@ericwilligers ericwilligers ericwilligers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mgiuca @marcoscaceres @ericwilligers