unescape() logic doesn't copy invalid bytes following % as expected by most recent spec
(This is a reopened version of #11249 because the whatwg spec has changed.)
What version of Go are you using (
The text was updated successfully, but these errors were encountered:
Doesn't loosening of URI validation risk propagating invalid %-encodings to other systems that will choke on the invalid URIs (like, for example, something built with go1.19)? This seems opposite to the logic used to justify tightening of ParseIP logic in go1.17 (#30999).
I would not have expected the stdlib method to relax validation unconditionally like this
aside from the question about whether allowing these invalid sequences is going to cause problems with other systems, stdlib methods are widely used to validate things like IPs and URIs which are persisted and have to interoperate with multiple go versions. If this is going to update go1.20 to accept URIs as valid which go1.19 rejected as invalid, can this also include guidance for consumers to roll out this change?
I guess there are two issues conflated in the earlier bug. The first is "Please support decoding
Given that 1) there are sites in the wild with
This reverts CL 450375. Reason for revert: This change causes test failures (and possibly other problems) for users depending on the existing validation behavior. Rolling back the change for now to give us more time to consider its impact. This landed late in the cycle and isn't urgent; it can wait for 1.21 if we do want to make the change. Fixes #56884 For #56732 Change-Id: I082023c67f1bbb933a617453ab92b67abba876ef Reviewed-on: https://go-review.googlesource.com/c/go/+/452795 TryBot-Result: Gopher Robot <email@example.com> Reviewed-by: Ian Lance Taylor <firstname.lastname@example.org> Run-TryBot: Damien Neil <email@example.com> Reviewed-by: Heschi Kreinick <firstname.lastname@example.org>