From: matthew@...
Date: 2020-07-13T21:01:51+00:00
Subject: [ruby-core:99158] [Ruby master Bug#17029] URI.parse considers https://example.com/### invalid when browsers consider it valid
Issue #17029 has been updated by phluid61 (Matthew Kerwin).
It's not valid according to RFC 3986 (the URI standard) but that is pretty old now. I suspect switching from the IETF URI spec to the WHATWG URL spec would have other consequences, too.
----------------------------------------
Bug #17029: URI.parse considers https://example.com/### invalid when browsers consider it valid
https://bugs.ruby-lang.org/issues/17029#change-86536
* Author: nileshtr (Nilesh Trivedi)
* Status: Open
* Priority: Normal
* ruby -v: ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-darwin19]
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN
----------------------------------------
I have a form with `` and in the backend, I try to extract the domain with `URI.parse(url).host`
A user was able to submit a value like `https://example.com/###` which passed the browser's validation check, but failed by `URI.parse` with this error:
```
3: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/common.rb:234:in `parse'
2: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:73:in `parse'
1: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:67:in `split'
URI::InvalidURIError (bad URI(is not URI?): "https://example.com/###")
```
You can try the browser's behavior at MDN's demo: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/url
This is what the MDN page says about validation:
The syntax of a URL is fairly intricate. It's defined by WHATWG's URL Living Standard ( https://url.spec.whatwg.org/ ) and is described for newcomers in our article What is a URL? ( https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_URL )
--
https://bugs.ruby-lang.org/
Unsubscribe: