Possible consumer pitfalls

meepbear * meepbear at hotmail.com
Sun Jul 3 16:15:50 PDT 2005

The idea is to use this thread when anyone implementing a consumer (and a 
separate thread for the server?) comes across something that they think 
might affect other consumers as well, regardless of the language they're 
written in.
None of it has much to do with the actual protocol but are simply things to 
watch out for.
It should also make it easier for whoever is maintaining the spec (Brad?) to 
decide which is important enough to list in the notes there.

Things I can recall right away:

1) when checking for the <link..> tag(s) make sure to restrict yourself to 
the <head>...</head> section only (safest is to look for "<body" and cut off 
Someone might be able to inject HTML into the <body>..</body> and then claim 
ownership of a page they don't really own. The injected HTML could be a 
single <link..> tag, but could just as well be a <head>..</head> which is 
why it's easiest to just cut off at the start of the body instead.

2) parse HTML entities in <link..> tag(s)
See http://lists.danga.com/pipermail/yadis/2005-July/001081.html

3) validate return_to when you get it back in an id_res response and you 
have to use dumb mode (due to being stateless or due to invalidate_handle)
See http://lists.danga.com/pipermail/yadis/2005-July/001105.html

4) in a "key-value colon/newline" response the value may contain colons
Not really sure how relevant this is to everyone else, but I initially had a 
problem because I was using token functions to retrieve the key and value 
parts, but on Livejournal it failed because it issues an assoc_handle with a 
colon in it

5) keep track of the original URL in dumb mode if you're stateless
This is probably obvious, but just in case: when you're stateless the only 
thing the protocol keeps track of is the OpenID URL (openid.identity). If 
the user initially entered a URL that delegated to another URL then you'll 
need to keep track of the original with a custom query parameter of your own 
or you'll report the wrong ID for that user

More information about the yadis mailing list