20 comments

[ 3.2 ms ] story [ 50.0 ms ] thread
Cool thanks I 100% will not, if only because newlines are header separators in HTTP.
I don't even put space characters in my filenames. May MyDocu~1 live on forever.
>Remove all ASCII tab or newline from input.

the title is referring to inside html attributes, where they will be removed hence not affect where the link points.

You can put pickle juice in your cereal too
Vertical tabs in file names is where it’s at.
title is misleading. I agree with @bmandale's comment.
on a side note you can use many surprising non-standard HTTP verbs, but many CDNs like Cloudflare filter them
After I read this, I started to look at the Wikipedia article on Base64 and eventually got to the article for the data URI scheme. That's where I found a sentence that seems to a little bit at odds with the blogpost. The Wikipedia article mentions that "whitespace characters are not permitted in data URIs".

But then I suppose it goes back to the main thrust of the blogpost because it says that in the context of HTML 4 and 5, that linefeeds within an attribute value are ignored. So possibly there are some other contexts where whitespace might not be ignored.

- https://lemire.me/blog/ I am not able to see a quick list of all the posts on your blog, I tried all the pages

- https://lemire.me/posts

- https://lemire.me/archive

- https://lemire.me/archives

- Everyone of them gives me a 404, can you kindly add some page on your blog form where I can just see the titles of all the articles quickly?

- Most blogs posted on HN are not user friendly in this regard, sometimes the reader wants a quick glimpse of everything on 1 page so that they can quickly pick interesting stuff

“Hey you got new lines in my URLs!”

“You got URLs in my new lines!”

I stopped reading Daniel Lemire a while back.

He had a blog post that seemed just weird and out of left field. Like it was clearly a response to something but what? What was the motivation for it?

When asked he said y'know. He just thinks about stuff and writes and that's what he does.

Turns out the blog post was a post he also made on social media. And said post was a response to something. And I guess he thought it was pretty good writing and should go on his blog, too.

Nothing wrong with that on it's own but I feel like most people would preface a post like that with "I saw this thing." And when directly asked like... He just straight up lied?

That whole thing just rubbed me the wrong way.

For full context https://lemire.me/blog/2025/10/17/research-results-are-cultu...

In the comments I turned into kind of a dick. I was pretty upset about being lied to.

Anyways between that and articles like this that are honestly useless and kinda misleading - I'm not really the biggest fan.

Wild! I like it thanks for the writeup!
Yeah, they might be ignored by the html parser and might "work".

Still, not a bright idea.

“Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should”
This sort of thing is sometimes used in so-called "scriptless xss" attacks, where if you can force the website to have an unclosed url, you can capture part of the page contents (hopefully containing secrets) and exfiltrate it.

To the point where chrome stopped allowing newlines in some circumstances https://chromestatus.com/feature/5735596811091968

You’re a braver coder than me if you trade off potential errors in a massive pipeline of browsers, DNS, cache servers and proxies just so your code looks a bit neater! (EDIT: But this is a welcome, interesting post, just to be clear!)
This looks like a good way to trip up crappily built bots
> Effectively, the error is ignored although it might be logged. Thus our HTML is fine in practice.

That is not the right mindset to create good things. If it's an error, it's not fine.

Wait, does that mean that you could make an ASCII representation of a QR code that points to the URL that the QR code was made of?