toLeopard: Trouble with slashes and question marks in asset URLs (normalize/sanitize costume and sound names?) #140
Labels
bug
Something isn't working
discussion
Looking for feedback and input
fmt: Leopard
Pertains to Leopard format (JavaScript)
toLeopard
currently defines a default function forgetAssetURL
, which takes the type of the asset (costume/sound), the target's CapitalCamelCased name, the name as-is of the asset, and the asset's file extension.This causes a few concerns and troubles when actually generating or serving those assets:
..
and.
are invalid names for files, and so are files that end with a.
(https://superuser.com/a/1434917)... but we avoid these, because we always include.${ext}
as part of (and the end of) the string.../../../../spooky
may be a cause for security trouble.It would be nice to just use
encodeURIComponent
but I'm honestly not sure if that's sufficient for normal static file servers.The other approach is to sanitize asset names, either inside
getAssetURL
or before passing there. We "sanitize" target names by CapitalCamelCasing them already, so it's not totally unreasonable to do similar with costume names. I think I'd rather do this work outside ofgetAssetURL
because forcing custom implementations to do similar work seems like a source of trouble, if at the end of the day we're asking for and expecting a URL anyway (so best to avoid characters that cause trouble for typical URLs).We need to make sure if we change anything about
getAssetURL
internally, other customgetAssetURL
(intoLeopard
consumers) are updated accordingly. Probably just leopard-website, if any.The text was updated successfully, but these errors were encountered: