Daniel Fisher (lennybacon.com)

SOA, DATA & THE WEB

Do not trust user input - live.com

I was searching for a colleague's blog in a "legacy search engine" ;-)... and found a page in Kay Giza's blog which linked "Niel Gräf" to somewhere. It wasn't his blog, It was a linked "Live Search":

http://search.live.com/results.aspx?mkt=de-de&FORM=TOOLBR&q="Nils+Gräf"&FORM=TOOLBR

Kay please don't take it personal... What we see is a foreign page calling into Live without encoding the URL properly. That is what every non technical publisher will do - because they do not know better!

1) Clicking the link will open Live.com and will also show show results - If you have German language settings:

image

But if you click on "Next Page" to brows the results:

image

2) If you have en-US settings you'll get nothing:
image

So what happens here?

1) Live.con does not encode the user input properly when using it to format links - that's bad!

2) Live.com strips out special characters - not nice.

Hope there will be improvement soon :-)

Comments

Write a comment