- From: Karl <notifications@github.com>
- Date: Mon, 29 Nov 2021 11:12:36 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 29 November 2021 19:12:48 UTC
I think this is possible, but can be quite tricky. IMO this operation should avoid anything which would cause _other_ URL components to be interpreted with a different meaning, and that may require a lot of testing/fuzzing/etc to figure out. But I think it's possible. A few cases I can think of: - Empty hostnames should be checked before re-parsing. They're not allowed in special URLs (except file) anyway, so it's fine to bail, but `sc:////////////notahost` would be reparsed to `http://notahost/` which seems dangerous. - Unescaped backslashes should be checked and maybe percent-encoded? `sc://host/some/path\..\..\etc\passwd` gets reparsed as `http://host/etc/passwd`. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/674#issuecomment-981933786
Received on Monday, 29 November 2021 19:12:48 UTC