Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape characters not allowed by URL specs but not escaped by URL::toString #10307

Open
7 tasks done
JoHaHu opened this issue Oct 1, 2022 · 3 comments
Open
7 tasks done

Comments

@JoHaHu
Copy link

JoHaHu commented Oct 1, 2022

Describe the bug

Whe using vite in dev mode behind a proxy illegal characters in URL can lead to errors.
As an example Nuxt 3 uses [foo] as pattern for dynamic routes. During development url for modules aren't properly url-encoded.

Reproduction:
open stackblitz example and navigate to /test/id. In the browser network trace there is a request for /test/[id].vue which fails when used behind certain proxies.

nuxt/nuxt#15049

Reproduction

https://stackblitz.com/edit/github-tjxq2a-k3p4ab

System Info

System:
    OS: Linux 5.19 Fedora Linux 36 (Workstation Edition)
    CPU: (12) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
    Memory: 21.48 GB / 31.04 GB
    Container: Yes
    Shell: 5.8.1 - /bin/zsh
  Binaries:
    Node: 16.16.0 - ~/.nvm/versions/node/v16.16.0/bin/node
    npm: 8.11.0 - ~/.nvm/versions/node/v16.16.0/bin/npm
  Browsers:
    Firefox: 105.0.1

Used Package Manager

npm

Logs

No response

Validations

@sapphi-red
Copy link
Member

nuxt/nuxt#15049

@sapphi-red
Copy link
Member

Summary of what was discussed in the above issue

The "[" in the path part is not allowed in RFC 3986 (successor to RFC 2396), but is allowed in the URL Standard.

Both Node.js and browsers parses relative import specifiers in compliance with the URL Standard.

So this is a valid JS in both browser and Node.js.

However, the Java server used rejects this URL because it is compliant with RFC3986, not the URL Standard.

@sapphi-red sapphi-red changed the title Vite does not escape illegal cahracters like '[' or ']' in dev mode Escape characters allowed by URL Standard but not allowed by RFC 3986 Oct 4, 2022
@sapphi-red
Copy link
Member

Umm, rereading the URL Standard spec, it seems I'm wrong.
"[" (0x5B) in the path part is allowed in the URL "representation" section, but it's not allowed in the "URL writing" section.

Because new URL('https://example.com/[foo]').href returns https://example.com/[foo], I thought "[" is allowed in the URL Standard spec. But it seems .href may return a invalid URL. I didn't expect that to happen. 🫠

The output of the URL serializer is not always a valid URL string.
https://url.spec.whatwg.org/#urls:~:text=The%20output%20of%20the%20URL%20serializer%20is%20not%20always%20a%20valid%20URL%20string.

related: whatwg/url#379, whatwg/url#753

@sapphi-red sapphi-red changed the title Escape characters allowed by URL Standard but not allowed by RFC 3986 Escape characters not allowed by URL specs but not escaped by URL::toString Nov 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants