💾 Archived View for mozz.us › journal › 2019-08-24_questions_on_input.gmi captured on 2024-09-29 at 00:20:45. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2020-09-24)

-=-=-=-=-=-=-

Questions on INPUT behavior

Published 2019-08-24

Posted to the gemini mailing list

Hi all. I'm looking into implementing a few endpoints on my server that accept user input, and I ended up with a few ambiguities about the gemini specification that I would like to discuss:

The requested resource accepts a line of
textual user input. The <META> line is a
prompt which should be displayed to the
user.  The same resource should then be
requested again with the user's input
included as a query component.  Queries
are included in requests as per the
usual generic URL definition in RFC3986,
i.e. separated from the path by a ?.
There is no response body.

Here are my questions:

1. Should the query component be formatted as a "key=value" parameter? Or should it be added directly as the entire query component?

A. "gemini://hostname.com/input?q=AbrahamLincoln"

vs.

B. "gemini://hostname.com/input?AbrahamLincoln"

2. Should the query component allow percent-sign escaping? If so, which characters should be escaped?

A. "gemini://hostname.com/input?Hello%20world"

vs.

B. "gemini://hostname.com/input?Hello world"

3. Should a server be allowed to link to a URL with the user input pre-filled? E.g. Should this link, if placed in a text/gemini file, mean the same thing as the user manually typing in "Hello World"?

A. "=>/input?Hello%20world"

This also brings up a point that the above link would be impossible to define in a text/gemini file if percent-escaped spaces were not allowed.

4. If my server has an endpoint that does not request user input, can I re-purpose the query section for my own needs?

A. "gemini://hostname.com/items?page=2&limit=20"

5. In the above example, what happens if a request to that URL returns a status code of 10? Should the client strip the existing query components from the URL, or append a new key=value pair to the end?

6. What widget should the client use to display the input prompt? A single line input, or a multi-line text box? Should newline characters even be allowed?

7. Should there be a maximum input length? Currently it is implicitly defined as 1024 bytes minus the length of the URL.

Personally, I have mixed feelings about gemini enabling user input in the first place. I know that gopher supports it using the "7" item type, but I have only seen a couple of compelling use cases for this in the wild. On the other hand, it opens up a Pandora's box of complexity by allowing creative developers to port over many features from HTTP.

I can already envision XSS style attacks. For example, say a gemini page requests user input that will be rendered in a public text/gemini page like a guestbook. The bad-actor submits a message that contains something like:

"\n=>http://malicious.url\thttp://innocent.url".

Servers will need to be diligent in sanitizing their inputs, which kind of sucks for what should be a simple protocol.