backbone
backbone copied to clipboard
Invalid parameters
Backbone route parameters are decoded via decodeURIComponent
. If the parameter is malformed (e.g. %foo
) then a URIError
is thrown. Since the user is in control of the url, this can happen even if all caution is taken to encode parameters. Is this truly an exceptional case in which things are so broken that execution should stop? If not, what should we return as a parameter?
The user isn't really in control of the URL -- you can feed bizarro URLs to any website which will give you invalid pages ... either in the form of a 404, or some type of graceful 500.
For invalid URLs, we should be emitting the error in a way that allows the app to handle it. Do you think that a try/catch
around your history.start() isn't good enough?
The user isn't really in control of the URL -- you can feed bizarro URLs to any website which will give you invalid pages ... either in the form of a 404, or some type of graceful 500.
Right, but urls aren't always created domestically. Search urls are especially problematic as they're often fed in from an external source (e.g. /search/malformed%query
).
For invalid URLs, we should be emitting the error in a way that allows the app to handle it. Do you think that a try/catch around your history.start() isn't good enough?
No, I don't think so. If someone were to errantly navigate to /search/malformed%query
, I'd like the app to allow them to modify the query. Wrapping History#start
means execution is stopped before the route is executed. The only option is to dump them with a "Whoops! You url is malformed." message. With #3434, it's possible for this to happen even if the url is correctly escaped.
What do you think that a nicer API for the developer writing the router would be?
Might an error
event work better? IE. only when there is an error matching a route, not when a route is unmatched.
router.on('error', function(route) {
// handle bad input
});
Edit: thinking about it, error
would be better. Doh.
An error
event isn't a bad idea. For nearly all use cases, I'd be fine with just passing along the parameter as is. Otherwise, I could handle the error
event so I know about it in the route. Anything is better than a broken page.