Do not trust user input -

I was searching for a colleague's blog in a "legacy search engine" ;-)... and found a page in Kay Giza's blog which linked "Niel Gräf" to somewhere. It wasn't his blog, It was a linked "Live Search":"Nils+Gräf"&FORM=TOOLBR

Kay please don't take it personal... What we see is a foreign page calling into Live without encoding the URL properly. That is what every non technical publisher will do - because they do not know better!

1) Clicking the link will open and will also show show results - If you have German language settings:


But if you click on "Next Page" to brows the results:


2) If you have en-US settings you'll get nothing:

So what happens here?

1) Live.con does not encode the user input properly when using it to format links - that's bad!

2) strips out special characters - not nice.

Hope there will be improvement soon :-)

Add comment