Status20 Success
Metatext/plain
Questions on INPUT behavior
Posted to the gemini mailing list

Hi all. I'm looking into implementing a
few endpoints on my server that accept
user input, and I ended up with a few
ambiguities about the gemini
specification that I would like to
discuss:

```
The requested resource accepts a line of
textual user input. The <META> line is a
prompt which should be displayed to the
user.  The same resource should then be
requested again with the user's input
included as a query component.  Queries
are included in requests as per the
usual generic URL definition in RFC3986,
i.e. separated from the path by a ?.
There is no response body.
```

Here are my questions:

1. Should the query component be
   formatted as a "key=value" parameter?
   Or should it be added directly as the
   entire query component?

   A. "gemini://hostname.com/input?q=AbrahamLincoln"
   vs.
   B. "gemini://hostname.com/input?AbrahamLincoln"

2. Should the query component allow
   percent-sign escaping? If so, which
   characters should be escaped?

   A. "gemini://hostname.com/input?Hello%20world"
   vs.
   B. "gemini://hostname.com/input?Hello world"

3. Should a server be allowed to link to
   a URL with the user input pre-filled?
   E.g. Should this link, if placed in a
   text/gemini file, mean the same thing
   as the user manually typing in "Hello
   World"?

   A. "=>/input?Hello%20world"

   This also brings up a point that the
   above link would be impossible to
   define in a text/gemini file if
   percent-escaped spaces were not
   allowed.

4. If my server has an endpoint that
   does not request user input, can I
   re-purpose the query section for my
   own needs?

   A. "gemini://hostname.com/items?page=2&limit=20"

5. In the above example, what happens if
   a request to that URL returns a
   status code of 10? Should the client
   strip the existing query components
   from the URL, or append a new
   key=value pair to the end?

6. What widget should the client use to
   display the input prompt? A single
   line input, or a multi-line text box?
   Should newline characters even be
   allowed?

7. Should there be a maximum input
   length? Currently it is implicitly
   defined as 1024 bytes minus the
   length of the URL.

Personally, I have mixed feelings about
gemini enabling user input in the first
place. I know that gopher supports it
using the "7" item type, but I have only
seen a couple of compelling use cases
for this in the wild. On the other hand,
it opens up a Pandora's box of
complexity by allowing creative
developers to port over many features
from HTTP.

I can already envision XSS style
attacks. For example, say a gemini page
requests user input that will be
rendered in a public text/gemini page
like a guestbook. The bad-actor submits
a message that contains something like:

    "\n=>http://malicious.url\thttp://innocent.url".

Servers will need to be diligent in
sanitizing their inputs, which kind of
sucks for what should be a simple
protocol.