Opened 16 years ago
Closed 15 years ago
#9823 closed defect (bug) (fixed)
Allow 0xAD in URI attributes
Reported by: | nbachiyski | Owned by: | |
---|---|---|---|
Milestone: | 2.9 | Priority: | low |
Severity: | normal | Version: | 2.8 |
Component: | Validation | Keywords: | kses |
Focuses: | Cc: |
Description
kses strips 0xAD from URI attributes (see #4379 and #5917).
Given the more frequent use of unicode in addresses and the fact that this byte appears in a lot of the UTF-8 representations, stripping it causes many broken URLs.
I researched the issue and found only one security problem caused by this byte: Mozilla <= 1.7.11/Firefox <= 1.5 Beta 1 didn't escape this byte properly in Internationalized Domain Names.
The bug was fixed almost 4 years ago and everybody now is using newer versions of Firefox, so I think we can safely remove the check.
Attachments (1)
Change History (2)
Note: See
TracTickets for help on using
tickets.
(In [12199]) Allow 0xAD in URI attributes. Props nbachiyski. fixes #9823 #10859