Re: lynx-dev priorities (was 2.8rel.2)

[Klaus Weide]

On Fri, 29 Jan 1999, Henry Nelson wrote:
[Philip:]
> > anonymous users are mostly on freenets at libraries or colleges in
> > well-heeled places like Vancouver & Phoenix,
> 
> ? This comes across to me as an entirely unfounded statement.

Indeed.
 
> Klaus, if you've got a few spare minutes, I wonder if you'd mind
> commenting or chiding me about the hack below to block reading in of
> control codes when entering URLs.
> 
>      http://www.irm.nara.kindai.ac.jp/lynxdev/hacks/xxunescape.gz

It is probably ok for your purpose, but I wouldn't want to put it in
the distributed code as it is - I regard HTUnEscape() as a very low-
level function that can be used in all kinds of places, and in some
of those places unescaping control characters is legitimate.

For example Unix filenames can have arbitrary characters.  Using such
names may not be very useful, but if I choose to do so Lynx shouldn't
prevent me from accessing those files.

Ideally all parts of the code where a string is used after
HTUnEscaping should check for problematic characters, as for example
HTTelnet does.  Relying on HTUnEscape alone doesn't protect against
the case where control characters are in a string in raw form (not
escaped).

Your modified HTUnEscape() could be useful as an alternative version,
to be called where there really is a no-controlchars requirement;
but most of those places probably have to do other checks anyway
(for ;<>& etc.) to be safe.

For your purpose I can't see how your change does any harm.  But if
you have an actual case where this change protects you (against some
kind of intrusion or whatever) and without this change you are not
protected, you should report it - It means something needs to be fixed
somewhere else.

   Klaus