- From: The Moisrex <notifications@github.com>
- Date: Mon, 05 Jan 2026 00:33:21 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/issues/893/3709419531@github.com>
the-moisrex left a comment (whatwg/url#893) @annevk What I'm saying is that `http://///////////////////////////////////////127.0.0.1` is not a mistake to be ignored by warnings. It's a deliberate attempt at something, possibly an attack. What I'm suggesting is to put limits on these things. And also for example for `http://127.0.0x0.0x0000000000000000000000000000000000000000000000000000000000000001`. These are not mistakes. These should fail. Someone is trying to get clever with something. Trying to overflow something, or bypass something. Doesn't matter what. We could put a limit on for example more than 10 slashes or forward slashes in [special-authority-ignore-slashes-state](https://url.spec.whatwg.org/#special-authority-ignore-slashes-state) must record an error and not just a log/warning/ignored. Same goes for any other place where these repeating characters or patterns can appear. Another example that comes to mind is `http://example.com/../../../../../`. We should limit that to for example 10 or 20 level above the root or 10 or 20 level of things like this: `http://example.com/././././././././././././.` These repeating patterns should be limited. We could debate the numbers. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/893#issuecomment-3709419531 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/893/3709419531@github.com>
Received on Monday, 5 January 2026 08:33:25 UTC