[OSM-dev] Restrict key names on order to retain reusability of OSM

Jochen Topf jochen at remote.org
Tue Feb 12 14:20:33 GMT 2008


I strongly support the use of UTF-8 in keys. We shouldn't restrict that
just to make it easier for programmers.

But, being a programmer myself, I know programmers are lazy. And while I
don't see problems with general Unicode characters, I do see problems
with special characters such as "=" (because we generally use it as delimiter
between key and value) and "<", ">", and quotes etc. They are special in
many databases, XML, HTML etc. and allowing them always sooner or later
breaks programs and, worse, creates security holes (SQL injection,
x-site-scripting, ...). Sure, they can be avoided if you take care, but
who does? (We already had a security problem because of a similar thing
a few weeks ago.)

So if anybody would propose to not allow some of these characters in
tag keys (or, for that matter, user names), I'd be in favour. On the
other hand, we must allow these in tag values anyway, so maybe its not
worth it.

Jochen Topf  jochen at remote.org  http://www.remote.org/jochen/  +49-721-388298

More information about the dev mailing list