Generate clean slugs #228
標籤
未選擇標籤
A: API
A: Backend
A: Federation
A: Front-End
A: I18N
A: Meta
A: Security
Build
C: Bug
C: Discussion
C: Enhancement
C: Feature
Compatibility
Dependency
Design
Documentation
Good first issue
Help welcome
Mobile
Rendering
S: Blocked
S: Duplicate
S: Incomplete
S: Instance specific
S: Invalid
S: Needs Voting/Discussion
S: Ready for review
Suggestion
S: Voted on Loomio
S: Wontfix
No project
No assignees
1 participant
訊息
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Plume/Plume#228
載入中…
Add table
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
When we create a new blog, a slug is created (ie.
My blog
becomesmyBlog
).To avoid characters encoding, this slug should not contains special characters:
For instance, the blog title
Blog de Nathanaël
becomes~BlogDeNathanaël
, so the url is encoded tohttps://fediverse.blog/~/BlogDeNathana%C3%ABl/
which is hard to read for a human.Also, is easy to spoof an identity by using a title with similar letters (for instance
𝖻а𝗍
looks identical tobat
, but uses 3 other different characters)... and there are 337,968,125,414,970,750,000,000 ways to write my blog name using utf-8 confusable characers. ;)By convention, most slugs uses hyphen-separated lowercase words.
That's what we are doing for articles slugs, but as blogs slugs are also used as ActivityPub actor name, I prefer to have them CamelCased (if we allow to mention blogs in articles in the future for instance, it will be more coherent with usernames that rarely contains hyphens as spaces).
I think I will open a debate on Loomio for this issue, because even if I agree that we shouldn't make it easy to do phishing or to impersonate someone else, I don't think we can really use something like punnycode, or create something to transform non-ascii characters to ascii. I feel like we should take the risk to have impersonation/phishing but I don't know if it is actually a good idea.
Here is the Loomio discussion: https://framavox.org/d/d5P7oepg/slugs
This algorithm may be usefull to solve this issue in way that both avoid security issues, and allows for characters outside of ASCII: https://wiki.mozilla.org/IDN_Display_Algorithm
It's relevant for German, too. We have umlauts äüö and the ß.