- From: RelunSec <notifications@github.com>
- Date: Sun, 04 Jan 2026 00:36:07 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Sunday, 4 January 2026 08:36:11 UTC
HackingRepo left a comment (whatwg/url#893) Glad to hear the Firefox bug was fixed but that highlights the deeper problem: implementations shouldn’t need to stumble across %2e quirks in the first place. The WHATWG spec currently normalizes too many malformed inputs, which makes it hard for developers to rely on URL parsing for security‑sensitive contexts. A strict mode (or at least more validation errors) would give us a way to reject inputs like encoded dots, octal/hex IPv4, or empty labels outright instead of silently accepting them. That way, browsers can keep their permissive behavior for compatibility, but servers, libraries, and security tools can opt into a safer mode. Fixing individual bugs is good, but without a strict mode we’ll keep rediscovering these edge cases across different implementations. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/893#issuecomment-3707868782 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/893/3707868782@github.com>
Received on Sunday, 4 January 2026 08:36:11 UTC