On Tue, 20 Jul 2004 00:33:55 +0100, Timwi timwi@gmx.net wrote:
Never assume that. Never assume any browser works in any way you want, and never assume malicious users might not send erroneous POST requests by themselves. If you make assumptions, the cases you assume are impossible can in some cases give rise to an exploit.
OK, fair enough - but note that a browser that ignores the HTML 'checked' attribute is unlikely to support JavaScript in any real sense anyway. Also note that the form isn't even a POST request, just a way of filling the <foo> and <bar> values in the '...&diff=<foo>&oldid=<bar>' URL - whatever the form does, the actual diff code needs to be impervious to all sorts of strange values in there, because people can type them straight in their address bar. In fact, it seems to do rather well - my thoroughly mixed up test http://en.wikipedia.org/w/wiki.phtml?title=Wikipedia%3ACopyrights&diff=4... (which refers to three articles at once, in different ways) actually has a fairly sane outcome. So, too, does just deleting one of the values; and deleting both just leaves you looking at the current version.
In other words, as one would hope, the arguments are validated on processing, not on input.