toLeopard: Trouble with slashes and question marks in asset URLs (normalize/sanitize costume and sound names?) #140
Description
toLeopard currently defines a default function for getAssetURL, which takes the type of the asset (costume/sound), the target's CapitalCamelCased name, the name as-is of the asset, and the asset's file extension.
This causes a few concerns and troubles when actually generating or serving those assets:
- Slashes represent directories. This seems like it impacts generation/serving, haven't looked into carefully yet.
- Question marks represent query strings. Can be trouble when serving static files.
..and.are invalid names for files, and so are files that end with a.(https://superuser.com/a/1434917)... but we avoid these, because we always include.${ext}as part of (and the end of) the string.- Though, assets that are currently named
../../../../spookymay be a cause for security trouble.
It would be nice to just use encodeURIComponent but I'm honestly not sure if that's sufficient for normal static file servers.
The other approach is to sanitize asset names, either inside getAssetURL or before passing there. We "sanitize" target names by CapitalCamelCasing them already, so it's not totally unreasonable to do similar with costume names. I think I'd rather do this work outside of getAssetURL because forcing custom implementations to do similar work seems like a source of trouble, if at the end of the day we're asking for and expecting a URL anyway (so best to avoid characters that cause trouble for typical URLs).
We need to make sure if we change anything about getAssetURL internally, other custom getAssetURL (in toLeopard consumers) are updated accordingly. Probably just leopard-website, if any.