27642 2014-12-17 20:47:05 +0000 Enumerate security considerations for display of URLs to users, especially non-ASCII URLs. 2015-08-25 14:22:59 +0000 1 1 1 Unclassified WHATWG URL unspecified All All RESOLVED FIXED P2 normal Unsorted 1 rubys annevk masinter mike rubys sideshowbarker+urlspec oldest_to_newest 116433 0 rubys 2014-12-17 20:47:05 +0000 This bug was opened on behalf of Larry Masinter, based on: https://github.com/webspecs/url/issues/18 121427 1 annevk 2015-06-22 17:20:27 +0000 See http://tools.ietf.org/html/rfc3987#section-8 in particular for some of the risks. Mostly UI risks. The encoding risks are not really URL-specific. 122771 2 annevk 2015-08-25 11:01:15 +0000 That RFC boils down to "spoofing" risks and being careful with allocating new URLs to avoid having your users spoofed. (Though obviously you can't do that for domain names.) We've also tackled some reparsing issues. This is why the host parser disallows a certain set of ASCII code points. We should mention that in certain contexts URLs can be used to execute attacks. E.g., if a user agent dispatches unknown URLs to elsewhere it should do so very carefully and both parties need to understand the implications (they typically don't expect attacks). And I guess we should mention that bidirectional URLs can cause significant confusion. 122774 3 annevk 2015-08-25 14:22:59 +0000 https://github.com/whatwg/url/commit/2232f47f3ed145d2f1111a6bac7284c2077c2ef7 Leaving bidi to bug 27641.