<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Add support for creating invalid URLs directly"
href="https://bugs.webkit.org/show_bug.cgi?id=156364#c6">Comment # 6</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Add support for creating invalid URLs directly"
href="https://bugs.webkit.org/show_bug.cgi?id=156364">bug 156364</a>
from <span class="vcard"><a class="email" href="mailto:jiewen_tan@apple.com" title="Jiewen Tan <jiewen_tan@apple.com>"> <span class="fn">Jiewen Tan</span></a>
</span></b>
<pre>(In reply to <a href="show_bug.cgi?id=156364#c5">comment #5</a>)
<span class="quote">> The danger here is that if we start exposing invalid URLs to clients, that
> increases the attack surface. Any bugs clients have in handling URLs would
> be more exploitable.</span >
I think we are doing this now. In the URL parser (URL::parse(const char* url, const String* originalString)), we assign the m_string to original string and invalidate the URL if we fail to parse it.
There is only one place at ToT that we change the the m_string to about:blank, which we fail IDNA toASCII conversion.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>