Hi all. I'm looking into implementing a few endpoints on my server that accept
user input, and I ended up with a few ambiguities about the gemini specification
that I would like to discuss:
```
The requested resource accepts a line of textual user input.
The <META> line is a prompt which should be displayed to the
user. The same resource should then be requested again with
the user's input included as a query component. Queries are
included in requests as per the usual generic URL definition
in RFC3986, i.e. separated from the path by a ?. There is no
response body.
```
Here are my questions:
1. Should the query component be formatted as a "key=value" parameter?
Or should it be added directly as the entire query component?
A. "gemini://hostname.com/input?q=AbrahamLincoln"
vs.
B. "gemini://hostname.com/input?AbrahamLincoln"
2. Should the query component allow percent-sign escaping?
If so, which characters should be escaped?
A. "gemini://hostname.com/input?Hello%20world"
vs.
B. "gemini://hostname.com/input?Hello world"
3. Should a server be allowed to link to a URL with the user input pre-filled?
E.g. Should this link, if placed in a text/gemini file, mean the same thing
as the user manually typing in "Hello World"?
A. "=>/input?Hello%20world"
This also brings up a point that the above link would be impossible to
define in a text/gemini file if percent-escaped spaces were not allowed.
4. If my server has an endpoint that does not request user input, can I
re-purpose the query section for my own needs?
A. "gemini://hostname.com/items?page=2&limit=20"
5. In the above example, what happens if a request to that URL returns a status
code of 10? Should the client strip the existing query components from the
URL, or append a new key=value pair to the end?
6. What widget should the client use to display the input prompt? A single line
input, or a multi-line text box? Should newline characters even be allowed?
7. Should there be a maximum input length? Currently it is implicitly defined
as 1024 bytes minus the length of the URL.
Personally, I have mixed feelings about gemini enabling user input in the first
place. I know that gopher supports it using the "7" item type, but I have only
seen a couple of compelling use cases for this in the wild. On the other hand,
it opens up a Pandora's box of complexity by allowing creative developers to
port over many features from HTTP.
I can already envision XSS style attacks. For example, say a gemini page
requests user input that will be rendered in a public text/gemini page like a
guestbook. The bad-actor submits a message that contains something like:
"\n=>http://malicious.url\thttp://innocent.url".
Servers will need to be diligent in sanitizing their inputs, which kind of sucks
for what should be a simple protocol.
- mozz
---
Next in thread (2 of 16): 🗣️ Sean Conner (sean (a) conman.org)