- From: Timothy Gu <notifications@github.com>
- Date: Wed, 11 Dec 2019 09:51:07 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 11 December 2019 17:51:09 UTC
https://url.spec.whatwg.org/#forbidden-host-code-point currently lists a number of code points as forbidden in hosts. However, some implementations have more:
- [Gecko](https://searchfox.org/mozilla-central/rev/62a130ba0ac80f75175e4b65536290b52391f116/netwerk/base/nsStandardURL.cpp#67-80) additionally has `*<>^|"` (`^` was [recently added](https://bugzilla.mozilla.org/show_bug.cgi?id=1548306))
- [WebKit](https://github.com/WebKit/webkit/blob/fc9fab113bf5016fc7cecc812760487ef615fd43/Source/WebCore/platform/URLParser.cpp#L154-L411) additionally has `<>` (added in [2018](https://github.com/WebKit/webkit/commit/eb0f458f05e0886de8881edf5fa64978c0e0439e))
Considering `<>` seem to be forbidden in two browsers, we should consider making them forbidden too. The list is testable through `new URL('http://</').href`.
See also: nodejs/node#30223
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/458
Received on Wednesday, 11 December 2019 17:51:09 UTC