- From: Mark Nottingham <notifications@github.com>
- Date: Mon, 24 May 2021 00:07:46 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 24 May 2021 07:07:58 UTC
Encoding raw characters that don't need to be encoded before they're consumed by applications is unexpected behaviour, without some sort of documentation or justification. I could see mitigating XSS as a justification for _serialising_ a URL with encoded `'`, but that wasn't discussed above, and we're talking about parsing behaviour -- the encoding is surfaced in the API offered to applications. Given that WHATWG specs like URL are "low-level", I'd think that the focus would be on offering high-fidelity APIs for what's seen on the wire, rather than anticipating issues like XSS, when those only affect a subset of users (especially with `.username` and `.password` properties). That could be addressed by wrappers, or perhaps a separate function... -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/608#issuecomment-846815915
Received on Monday, 24 May 2021 07:07:58 UTC