: URLs posted with @ in the path are not autolinked properly, are they valid? I have a site where users post comments. Often, those comments have URLs to a video streaming site with URLs in
I have a site where users post comments. Often, those comments have URLs to a video streaming site with URLs in the following format:
My site does not link the latter part comprising @57m58s which leads them to that specific part of the video.
I tried to determine if this URL format is indeed valid by going through the RFC for URL format. I'm also trying to find out if it has ramifications from the security perspective because these are added as comments in the site. (The comments don't allow users to add HTML content).
Is implementing a filter to ensure that the URL is fully linked inclusive of @time valid? Could it be a security concern?
More posts by @Hamaas447
2 Comments
Sorted by latest first Latest Oldest Best
A URL with an @ in the path is valid. RFC 2396 talks about @ in section 2.2. It is a "reserved character". That means that it is allowed in the URL, but that it might have special meaning depending on the spec for that particular URL. In the case of HTTP URLs, there is no special meaning for @ in the path portion. Therefore, it is a legitimate character that may be used by webmasters.
Any software which attempts to use heuristics to identify URLs and autolink them should allow an @ in the path of a HTTP URL.
There are some possible security implications from allowing the path of a linked URL to contain @ :
The @ does have special meaning in the domain name portion of a HTTP URL. There it specifies the user name and password for basic authentication. Auto linking a URL like user:pass@example.com/ could cause users that click it to automatically log into another site with the specified user and password.
Auto linking a URL like example.com@foo.example.net could be problematic. Is that an email address? Is that an attempt to get somebody to log into foo.example.net as the user example.com?
In my opinion, these security concerns are minor and would be mitigated by ensuring that any implementation restricts the allowed @ to the portion after the domain name and slash. StackExchange sites do autolink URLs with @ in the path. So doing so is not without precedent.
As explained in this SO article, @ is a reserved symbol and should not be used directly in URLs. However, it should work when URL encoded.
Correction: @ is a legal character for the path component, and should work. Nevertheless, if reality disagrees with theory, trying a practical solution isn't a bad idea.
Therefore, a form filter that converts raw @ to %40 might solve your problem.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.