This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
This bug was opened on behalf of Larry Masinter, based on: https://github.com/webspecs/url/issues/18
See http://tools.ietf.org/html/rfc3987#section-8 in particular for some of the risks. Mostly UI risks. The encoding risks are not really URL-specific.
That RFC boils down to "spoofing" risks and being careful with allocating new URLs to avoid having your users spoofed. (Though obviously you can't do that for domain names.) We've also tackled some reparsing issues. This is why the host parser disallows a certain set of ASCII code points. We should mention that in certain contexts URLs can be used to execute attacks. E.g., if a user agent dispatches unknown URLs to elsewhere it should do so very carefully and both parties need to understand the implications (they typically don't expect attacks). And I guess we should mention that bidirectional URLs can cause significant confusion.
https://github.com/whatwg/url/commit/2232f47f3ed145d2f1111a6bac7284c2077c2ef7 Leaving bidi to bug 27641.