[Imps] Reasonable limits on buffered values

Ian Hickson ian at hixie.ch
Wed Jan 3 15:07:20 PST 2007


On Fri, 29 Dec 2006, Simon Pieters wrote:
> 
> From: Henri Sivonen <hsivonen at iki.fi>
> >I'm wondering if there's a best practice here. Is there data on how
> >long non-malicious attribute values legitimately appear on the Web?

I'll see if I can get some data. (No ETA.)


> Additionally, .NET applications can have long attribute values too. See 
> "Figure 3. Simple page LessViewState.aspx with DataGrid1" at
>    
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspnet/html/asp11222001.asp
>
> That's 3.05 KiB, but can get a lot longer depending on the number of 
> form controls, I think.

I myself have written pages with significantly longer href="" attributes, 
e.g. when using long data: URIs of big images.

The problem is that whatever limit you set, you'll always find a 
legitimate document that's bigger. It sounds stupid but the best practice 
really is to not have explicit limits, but instead to have algorithms that 
can handle any volume of input without exploding. It might be best, in 
fact, to limit CPU and memory usage, rather than attempting to limit input 
buffers. ("This page would take too many resources to handle.") That 
actually handles the billion laughs problem without having to special case 
anything to do with it.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the Implementors mailing list