[whatwg/url] "For each byte in buffer: If byte is less than ..." (#379) from Linus Lewandowski on 2018-04-10 (public-webapps-github@w3.org from April 2018)

From: Linus Lewandowski <notifications@github.com>
Date: Tue, 10 Apr 2018 14:17:15 -0700
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/379@github.com>

https://url.spec.whatwg.org/commit-snapshots/a1b789c6b6c36fcdb16311da5abd177e84151fca/#url-parsing

> For each byte in buffer:
> 
> If byte is less than 0x21 \(\!\), greater than 0x7E \(\~\), or is 0x22 \("\), 0x23 \(\#\), 0x3C \(&lt;\), or 0x3E \(&gt;\), append byte, percent encoded, to url’s query\.
> 
> Otherwise, append a code point whose value is byte to url’s query\.

This leads to creation of invalid URLs - ones that contain ```[, \, ], ^, `, {, |, }```, which are neither [URL code points](https://url.spec.whatwg.org/#url-code-points) nor '%' and trigger validation errors:

>Otherwise:
>
> If c is not a URL code point and not U+0025 (%), validation error.

I think that either:
* the list of URL code points should be expanded to include more characters - and they should not trigger validation errors, or
* these ones should be escaped too.

Related issue: #378

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/379

Received on Tuesday, 10 April 2018 21:17:39 UTC