You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am working on a service which consumes URL's from potentially any web site / web app / web service. We have recently come across a URL which makes use of square brackets in the query param of the URI (after the question mark). For example:
https://example.com?abc[]=123&abc[]=456
According to RFC 3986 the URI producer should be precent encoding square brackets in the query params. After searching around I came across this break down of the RFC and how it applies in this situation. After reading through the RFC it would seem that while it is not to standard to produce these URI's, the standard suggests that these URI's should still be accepted.
RFC 3986 - Section 2.2. Reserved Characters
URI producing applications should percent-encode data octets that
correspond to characters in the reserved set unless these characters
are specifically allowed by the URI scheme to represent data in that
component. If a reserved character is found in a URI component and
no delimiting role is known for that character, then it must be
interpreted as representing the data octet corresponding to that
character's encoding in US-ASCII.
In our most recent instance, we found a URL using this format from a major UK ISP website (https://signup.nowtv.com/broadband/configurator/?p[]=ADSL&o[]=SAVER_OFFER).
It would seem to me that the validation should pass and accept non-encoded square brackets in a query parameter, if nothing because there are URI's in the wild which are doing this. That said, I'm sure this may generate some significant discussion and opinion.
Code to reproduce
Sample code:
constJoi=require('joi');constschema=Joi.object().keys({url: Joi.string().uri()});constresOne=Joi.validate({url: 'https://example.com?abc[]=123&abc[]=456'},schema);console.log(resOne);// => ValidationError: child "url" fails because ["url" must be a valid uri]constresTwo=Joi.validate({url: 'https://example.com?abc=123&abc=456'},schema);console.log(resTwo);// => error: null (passes validation)
The text was updated successfully, but these errors were encountered:
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
lockbot
locked as resolved and limited conversation to collaborators
Jan 9, 2020
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Context
What I am trying to achieve
I am working on a service which consumes URL's from potentially any web site / web app / web service. We have recently come across a URL which makes use of square brackets in the query param of the URI (after the question mark). For example:
According to RFC 3986 the URI producer should be precent encoding square brackets in the query params. After searching around I came across this break down of the RFC and how it applies in this situation. After reading through the RFC it would seem that while it is not to standard to produce these URI's, the standard suggests that these URI's should still be accepted.
RFC 3986 - Section 2.2. Reserved Characters
In our most recent instance, we found a URL using this format from a major UK ISP website (
https://signup.nowtv.com/broadband/configurator/?p[]=ADSL&o[]=SAVER_OFFER
).It would seem to me that the validation should pass and accept non-encoded square brackets in a query parameter, if nothing because there are URI's in the wild which are doing this. That said, I'm sure this may generate some significant discussion and opinion.
Code to reproduce
Sample code:
The text was updated successfully, but these errors were encountered: