- From: Timothy Gu <notifications@github.com>
- Date: Sat, 22 May 2021 00:49:21 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 22 May 2021 07:49:36 UTC
@mnot Why do you say that `'` and `;` **need** to be unescaped? RFC 3986 Sections [2.3](https://www.rfc-editor.org/rfc/rfc3986.html#section-2.3) and [6.2.2.2](https://www.rfc-editor.org/rfc/rfc3986.html#section-6.2.2.2) say that only `unreserved` characters need to be decoded: > For consistency, percent-encoded octets in the ranges of ALPHA (%41-%5A and %61-%7A), DIGIT (%30-%39), hyphen (%2D), period (%2E), underscore (%5F), or tilde (%7E) should not be created by URI producers and, when found in a URI, should be decoded to their corresponding unreserved characters by URI normalizers. (sec. 2.3) > [S]ome URI producers percent-encode octets that do not require percent-encoding, resulting in URIs that are equivalent to their non-encoded counterparts. These URIs should be normalized by decoding any percent-encoded octet that corresponds to an unreserved character, as described in Section 2.3. (sec. 6.2.2.2) Nothing seems to forbid implementations from encoding sub-delims as they see appropriate, for e.g., XSS mitigations. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/608#issuecomment-846370423
Received on Saturday, 22 May 2021 07:49:36 UTC