backbone icon indicating copy to clipboard operation
backbone copied to clipboard

Published 20 hours ago verified publisher icon jashkenas

Invalid parameters

Open braddunbar opened this issue 9 years ago • 5 comments

Backbone route parameters are decoded via decodeURIComponent. If the parameter is malformed (e.g. %foo) then a URIError is thrown. Since the user is in control of the url, this can happen even if all caution is taken to encode parameters. Is this truly an exceptional case in which things are so broken that execution should stop? If not, what should we return as a parameter?

braddunbar avatar Jan 07 '15 17:01 braddunbar

The user isn't really in control of the URL -- you can feed bizarro URLs to any website which will give you invalid pages ... either in the form of a 404, or some type of graceful 500.

For invalid URLs, we should be emitting the error in a way that allows the app to handle it. Do you think that a try/catch around your history.start() isn't good enough?

jashkenas avatar Jan 07 '15 21:01 jashkenas

The user isn't really in control of the URL -- you can feed bizarro URLs to any website which will give you invalid pages ... either in the form of a 404, or some type of graceful 500.

Right, but urls aren't always created domestically. Search urls are especially problematic as they're often fed in from an external source (e.g. /search/malformed%query).

For invalid URLs, we should be emitting the error in a way that allows the app to handle it. Do you think that a try/catch around your history.start() isn't good enough?

No, I don't think so. If someone were to errantly navigate to /search/malformed%query, I'd like the app to allow them to modify the query. Wrapping History#start means execution is stopped before the route is executed. The only option is to dump them with a "Whoops! You url is malformed." message. With #3434, it's possible for this to happen even if the url is correctly escaped.

braddunbar avatar Jan 07 '15 21:01 braddunbar

What do you think that a nicer API for the developer writing the router would be?

jashkenas avatar Jan 07 '15 22:01 jashkenas

Might an error event work better? IE. only when there is an error matching a route, not when a route is unmatched.

router.on('error', function(route) {
  // handle bad input
});

Edit: thinking about it, error would be better. Doh.

jridgewell avatar Jan 07 '15 22:01 jridgewell

An error event isn't a bad idea. For nearly all use cases, I'd be fine with just passing along the parameter as is. Otherwise, I could handle the error event so I know about it in the route. Anything is better than a broken page.

braddunbar avatar Jan 09 '15 19:01 braddunbar