Re: [whatwg/url] Percent-decode more stuff? (#87) from achristensen07 on 2016-10-27 (public-webapps-github@w3.org from October 2016)

From: achristensen07 <notifications@github.com>
Date: Wed, 26 Oct 2016 19:45:04 -0700
To: whatwg/url <url@noreply.github.com>
Message-ID: <whatwg/url/issues/87/256532372@github.com>

No, none of those percents are encoded or decoded. 

Also, I don't think it is adequate to protect servers by relying on the client getting rid of %2e%2e in the path. A server should have to protect itself from requests for ../../../etc. even from malicious clients that do not obey the URL spec. I don't see how parsing %2e%2e as .. protects servers. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/87#issuecomment-256532372

Received on Thursday, 27 October 2016 02:45:37 UTC