Re: [whatwg/url] URL path shortening for ../ creates problem with other URL parsers that do not follow the whatwg standard (Issue #810) from stefanbeigel on 2023-12-27 (public-webapps-github@w3.org from December 2023)

From: stefanbeigel <notifications@github.com>
Date: Wed, 27 Dec 2023 07:44:44 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/810/1870420771@github.com>

> Using different parsers is a known security vulnerability and it's one of the reasons we have standardized how URLs are parsed, so more tooling can interoperate with it.
Are there any plans to also adapt server side parsing of the url in nodejs / the http server module to use the whatwg URL class?
I know it might be better to ask this the nodejs team but I guess you are also in contact with them.

>I hope you're not expecting that we change the standard over this as that would undoubtedly break the web.
Well actually I would question why it's defined in the standard like this, why not leave the path as it is?
With this the whatwg url standard automatically creates issues with other url parsers that do not evaluate ../ 

BR



-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/810#issuecomment-1870420771
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/810/1870420771@github.com>

Received on Wednesday, 27 December 2023 15:44:50 UTC