[Webkit-unassigned] [Bug 172748] Consider blocking requests to HTTP(S) URLs that contain both `\n` and `<` characters.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 13 08:57:20 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=172748
--- Comment #3 from Alex Christensen <achristensen at apple.com> ---
URLs are used in a lot of places that aren't vulnerable to dangling markup attacks, so it definitely shouldn't go in the URL parser or specification. HTML is a more appropriate place because you're trying to avoid URLs that look like HTML, and URLs should not need to know anything about HTML.
That said, I'm worried about compatibility. I'm under the impression that hand written URLs sometimes contain tabs, newlines, < and > for good reasons, but I have no data to back that up.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190913/90f29030/attachment.html>
More information about the webkit-unassigned
mailing list