Well it looks like Jesper’s blog prompted Mozilla to eat some serious crow as they have now finally admitted that they aren’t really any different than IE in terms of parameter parsing / handling and thus FireFox could be used to attack other protocol handlers in the same way IE is. The only difference is they appear to be willing to change the design of Firefox and are allegedly working on a fix . . . I’m not sure that’s the right thing to do – the parameter parsing / validation code should really be done by the registered protocol handlers – but whatever. I’m sure they’ll fix it and then start their attacks on IE anew.
Jesper does a pretty good job of addressing the question of who was at fault in the whole IE vs. Firefox debate that has been raging for some time over in his blog here: http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx He even goes so far as to point out an amusing contradiction in the Mozilla team’s position – it’s a good read.
Personally – I think it’s pretty obvious that IE shouln’t attempt to filter or encode or otherwise change the data that is passed into the application registered to the protocol handler in any way . . . how do we know that doing so wouldn’t screw up what the application expects?