Questions on INPUT behavior
Posted to the gemini mailing list
Hi all. I'm looking into implementing a
few endpoints on my server that accept
user input, and I ended up with a few
ambiguities about the gemini
specification that I would like to
The requested resource accepts a line of
textual user input. The <META> line is a
prompt which should be displayed to the
user. The same resource should then be
requested again with the user's input
included as a query component. Queries
are included in requests as per the
usual generic URL definition in RFC3986,
i.e. separated from the path by a ?.
There is no response body.
Here are my questions:
1. Should the query component be
formatted as a "key=value" parameter?
Or should it be added directly as the
entire query component?
2. Should the query component allow
percent-sign escaping? If so, which
characters should be escaped?
B. "gemini://hostname.com/input?Hello world"
3. Should a server be allowed to link to
a URL with the user input pre-filled?
E.g. Should this link, if placed in a
text/gemini file, mean the same thing
as the user manually typing in "Hello
This also brings up a point that the
above link would be impossible to
define in a text/gemini file if
percent-escaped spaces were not
4. If my server has an endpoint that
does not request user input, can I
re-purpose the query section for my
5. In the above example, what happens if
a request to that URL returns a
status code of 10? Should the client
strip the existing query components
from the URL, or append a new
key=value pair to the end?
6. What widget should the client use to
display the input prompt? A single
line input, or a multi-line text box?
Should newline characters even be
7. Should there be a maximum input
length? Currently it is implicitly
defined as 1024 bytes minus the
length of the URL.
Personally, I have mixed feelings about
gemini enabling user input in the first
place. I know that gopher supports it
using the "7" item type, but I have only
seen a couple of compelling use cases
for this in the wild. On the other hand,
it opens up a Pandora's box of
complexity by allowing creative
developers to port over many features
I can already envision XSS style
attacks. For example, say a gemini page
requests user input that will be
rendered in a public text/gemini page
like a guestbook. The bad-actor submits
a message that contains something like:
Servers will need to be diligent in
sanitizing their inputs, which kind of
sucks for what should be a simple