[ruby-core:99153] [Ruby master Bug#17029] URI.parse considers https://example.com/### invalid when browsers consider it valid

ruby-core@ruby-lang.org archive (unofficial mirror)
 help / color / mirror / Atom feed

* [ruby-core:99153] [Ruby master Bug#17029] URI.parse considers https://example.com/### invalid when browsers consider it valid
@ 2020-07-13 17:33 nilesh.tr
  2020-07-13 17:38 ` [ruby-core:99154] " merch-redmine
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: nilesh.tr @ 2020-07-13 17:33 UTC (permalink / raw)
  To: ruby-core

Issue #17029 has been reported by nileshtr (Nilesh Trivedi).

----------------------------------------
Bug #17029: URI.parse considers https://example.com/### invalid when browsers consider it valid
https://bugs.ruby-lang.org/issues/17029

* Author: nileshtr (Nilesh Trivedi)
* Status: Open
* Priority: Normal
* ruby -v: ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-darwin19]
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN
----------------------------------------
I have a form with `<input type="url" required>` and in the backend, I try to extract the domain with `URI.parse(url).host`

A user was able to submit a value like `https://example.com/###` which passed the browser's validation check, but failed by `URI.parse` with this error:

```
        3: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/common.rb:234:in `parse'
        2: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:73:in `parse'
        1: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:67:in `split'
URI::InvalidURIError (bad URI(is not URI?): "https://example.com/###")
```

You can try the browser's behavior at MDN's demo: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/url

This is what the MDN page says about validation:

The syntax of a URL is fairly intricate. It's defined by WHATWG's URL Living Standard ( https://url.spec.whatwg.org/ ) and is described for newcomers in our article What is a URL? ( https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_URL )



-- 
https://bugs.ruby-lang.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [ruby-core:99154] [Ruby master Bug#17029] URI.parse considers https://example.com/### invalid when browsers consider it valid
  2020-07-13 17:33 [ruby-core:99153] [Ruby master Bug#17029] URI.parse considers https://example.com/### invalid when browsers consider it valid nilesh.tr
@ 2020-07-13 17:38 ` merch-redmine
  2020-07-13 21:01 ` [ruby-core:99158] " matthew
  2020-07-18  3:26 ` [ruby-core:99213] " nilesh.tr
  2 siblings, 0 replies; 4+ messages in thread
From: merch-redmine @ 2020-07-13 17:38 UTC (permalink / raw)
  To: ruby-core

Issue #17029 has been updated by jeremyevans0 (Jeremy Evans).

This does seem like a bug to me.  It looks like `https://example.com/###` should be an valid URL with a fragment of `##`.  However, the uri library is maintained in a separate repository.  Please submit this as an issue to https://github.com/ruby/uri/issues/new.

----------------------------------------
Bug #17029: URI.parse considers https://example.com/### invalid when browsers consider it valid
https://bugs.ruby-lang.org/issues/17029#change-86533

* Author: nileshtr (Nilesh Trivedi)
* Status: Open
* Priority: Normal
* ruby -v: ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-darwin19]
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN
----------------------------------------
I have a form with `<input type="url" required>` and in the backend, I try to extract the domain with `URI.parse(url).host`

A user was able to submit a value like `https://example.com/###` which passed the browser's validation check, but failed by `URI.parse` with this error:

```
        3: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/common.rb:234:in `parse'
        2: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:73:in `parse'
        1: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:67:in `split'
URI::InvalidURIError (bad URI(is not URI?): "https://example.com/###")
```

You can try the browser's behavior at MDN's demo: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/url

This is what the MDN page says about validation:

The syntax of a URL is fairly intricate. It's defined by WHATWG's URL Living Standard ( https://url.spec.whatwg.org/ ) and is described for newcomers in our article What is a URL? ( https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_URL )

-- 
https://bugs.ruby-lang.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [ruby-core:99158] [Ruby master Bug#17029] URI.parse considers https://example.com/### invalid when browsers consider it valid
  2020-07-13 17:33 [ruby-core:99153] [Ruby master Bug#17029] URI.parse considers https://example.com/### invalid when browsers consider it valid nilesh.tr
  2020-07-13 17:38 ` [ruby-core:99154] " merch-redmine
@ 2020-07-13 21:01 ` matthew
  2020-07-18  3:26 ` [ruby-core:99213] " nilesh.tr
  2 siblings, 0 replies; 4+ messages in thread
From: matthew @ 2020-07-13 21:01 UTC (permalink / raw)
  To: ruby-core

Issue #17029 has been updated by phluid61 (Matthew Kerwin).


It's not valid according to RFC 3986 (the URI standard) but that is pretty old now. I suspect switching from the IETF URI spec to the WHATWG URL spec would have other consequences, too. 

----------------------------------------
Bug #17029: URI.parse considers https://example.com/### invalid when browsers consider it valid
https://bugs.ruby-lang.org/issues/17029#change-86536

* Author: nileshtr (Nilesh Trivedi)
* Status: Open
* Priority: Normal
* ruby -v: ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-darwin19]
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN
----------------------------------------
I have a form with `<input type="url" required>` and in the backend, I try to extract the domain with `URI.parse(url).host`

A user was able to submit a value like `https://example.com/###` which passed the browser's validation check, but failed by `URI.parse` with this error:

```
        3: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/common.rb:234:in `parse'
        2: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:73:in `parse'
        1: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:67:in `split'
URI::InvalidURIError (bad URI(is not URI?): "https://example.com/###")
```

You can try the browser's behavior at MDN's demo: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/url

This is what the MDN page says about validation:

The syntax of a URL is fairly intricate. It's defined by WHATWG's URL Living Standard ( https://url.spec.whatwg.org/ ) and is described for newcomers in our article What is a URL? ( https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_URL )



-- 
https://bugs.ruby-lang.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [ruby-core:99213] [Ruby master Bug#17029] URI.parse considers https://example.com/### invalid when browsers consider it valid
  2020-07-13 17:33 [ruby-core:99153] [Ruby master Bug#17029] URI.parse considers https://example.com/### invalid when browsers consider it valid nilesh.tr
  2020-07-13 17:38 ` [ruby-core:99154] " merch-redmine
  2020-07-13 21:01 ` [ruby-core:99158] " matthew
@ 2020-07-18  3:26 ` nilesh.tr
  2 siblings, 0 replies; 4+ messages in thread
From: nilesh.tr @ 2020-07-18  3:26 UTC (permalink / raw)
  To: ruby-core

Issue #17029 has been updated by nileshtr (Nilesh Trivedi).


I filed an issue at the uri library's Github repo: https://github.com/ruby/uri/issues/8

----------------------------------------
Bug #17029: URI.parse considers https://example.com/### invalid when browsers consider it valid
https://bugs.ruby-lang.org/issues/17029#change-86593

* Author: nileshtr (Nilesh Trivedi)
* Status: Open
* Priority: Normal
* ruby -v: ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-darwin19]
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN
----------------------------------------
I have a form with `<input type="url" required>` and in the backend, I try to extract the domain with `URI.parse(url).host`

A user was able to submit a value like `https://example.com/###` which passed the browser's validation check, but failed by `URI.parse` with this error:

```
        3: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/common.rb:234:in `parse'
        2: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:73:in `parse'
        1: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:67:in `split'
URI::InvalidURIError (bad URI(is not URI?): "https://example.com/###")
```

You can try the browser's behavior at MDN's demo: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/url

This is what the MDN page says about validation:

The syntax of a URL is fairly intricate. It's defined by WHATWG's URL Living Standard ( https://url.spec.whatwg.org/ ) and is described for newcomers in our article What is a URL? ( https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_URL )



-- 
https://bugs.ruby-lang.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-07-18  3:26 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-13 17:33 [ruby-core:99153] [Ruby master Bug#17029] URI.parse considers https://example.com/### invalid when browsers consider it valid nilesh.tr
2020-07-13 17:38 ` [ruby-core:99154] " merch-redmine
2020-07-13 21:01 ` [ruby-core:99158] " matthew
2020-07-18  3:26 ` [ruby-core:99213] " nilesh.tr

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).