Re: [whatwg/url] javascript: URL parsing (#307) from Adam Rice on 2022-12-01 (public-webapps-github@w3.org from December 2022)

From: Adam Rice <notifications@github.com>
Date: Wed, 30 Nov 2022 18:52:25 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/307/1333084117@github.com>

Instead of "uncomfortable" how about "semantically meaningless"?

IIUC, `javascript://` is a script containing a single comment. Setting `username` on it then modifies that comment to have an extra string at the beginning? It appears to be a harmless but nonsensical operation. But if there turned out to be a scenario in which it actually had some functional impact I would regret it. To me it looks like a security hole waiting for somebody to come along and find a way to exploit it.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/307#issuecomment-1333084117
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/307/1333084117@github.com>

Received on Thursday, 1 December 2022 02:52:38 UTC