: URLs posted with @ in the path are not autolinked properly, are they valid? I have a site where users post comments. Often, those comments have URLs to a video streaming site with URLs in

@Megan663

A URL with an @ in the path is valid. RFC 2396 talks about @ in section 2.2. It is a "reserved character". That means that it is allowed in the URL, but that it might have special meaning depending on the spec for that particular URL. In the case of HTTP URLs, there is no special meaning for @ in the path portion. Therefore, it is a legitimate character that may be used by webmasters.

Any software which attempts to use heuristics to identify URLs and autolink them should allow an @ in the path of a HTTP URL.

There are some possible security implications from allowing the path of a linked URL to contain @ :


The @ does have special meaning in the domain name portion of a HTTP URL. There it specifies the user name and password for basic authentication. Auto linking a URL like user:pass@example.com/ could cause users that click it to automatically log into another site with the specified user and password.
Auto linking a URL like example.com@foo.example.net could be problematic. Is that an email address? Is that an attempt to get somebody to log into foo.example.net as the user example.com?

In my opinion, these security concerns are minor and would be mitigated by ensuring that any implementation restricts the allowed @ to the portion after the domain name and slash. StackExchange sites do autolink URLs with @ in the path. So doing so is not without precedent.

Vote Up Vote Down

@Yeniel560

As explained in this SO article, @ is a reserved symbol and should not be used directly in URLs. However, it should work when URL encoded.

Correction: @ is a legal character for the path component, and should work. Nevertheless, if reality disagrees with theory, trying a practical solution isn't a bad idea.

Therefore, a form filter that converts raw @ to %40 might solve your problem.

Vote Up Vote Down