- From: Mike West <notifications@github.com>
- Date: Mon, 18 Sep 2017 00:59:53 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 18 September 2017 08:00:19 UTC
@achristensen07: @annevk linked to some related conversations that discuss motivations (@bzbarsky's discussion of `<>` in #291 is compelling, for instance). I'm hopping on this due to some marginal risk of code injection when developers reflect `url.hash` into their pages: that risk would be mitigated if we were a little more strict about encoding these characters. Based on some spot-checking, Firefox encodes at least `"`, ``` ` ```, `<`, and `>` in addition to everything above 0x7E, which is an indication that we can tighten things up here while maintaining compatibility with the web. Do you have a set of characters you'd prefer to use instead of the query encoding set? As long as the set includes `<` and `>`, I'll be happy. :) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/344#issuecomment-330151488
Received on Monday, 18 September 2017 08:00:19 UTC