You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After this it proceeds to describe how different parsing states should be processed and in host state/hostname state it states that a bad host should result in a parsing termination error (points 3 and 4):
Finally, forbidden host code point includes tab as an invalid character, which should fail URL parsing or a manufactured host name will be produced.
This ordering of stripping all tabs from a URL and then not allowing tabs in host names prevents host names from being validated properly (i.e. invalid characters are removed before they can be evaluated).
This has an immediate effect on some of the current libraries. For example Python's urlsplit will take abc<tab>xyz.test and will manufacture a host name abcxyz.test, which happens because they remove tabs from the URL, before having a chance to validate the host name.
The text was updated successfully, but these errors were encountered:
What is the issue with the URL Standard?
In this document:
https://url.spec.whatwg.org/#concept-basic-url-parser
Item 3 says:
After this it proceeds to describe how different parsing states should be processed and in
host state
/hostname state
it states that a bad host should result in a parsing termination error (points 3 and 4):In host parsing, it says that a forbidden code point should terminate parsing:
Finally, forbidden host code point includes tab as an invalid character, which should fail URL parsing or a manufactured host name will be produced.
This ordering of stripping all tabs from a URL and then not allowing tabs in host names prevents host names from being validated properly (i.e. invalid characters are removed before they can be evaluated).
This has an immediate effect on some of the current libraries. For example Python's
urlsplit
will takeabc<tab>xyz.test
and will manufacture a host nameabcxyz.test
, which happens because they remove tabs from the URL, before having a chance to validate the host name.The text was updated successfully, but these errors were encountered: