RFC3986_Parser accepts invalid URIs containing %
URI.parse('https://www.example.com/search?q=%XX') does not raise an error despite being an invalid URI. A % in a URI must be followed by exactly two hex digits, but the RFC3986 parser does not check that in the URI query. Ruby 2.1 correctly raises an error.
Updated by jeremyevans0 (Jeremy Evans) 11 months ago
- Assignee set to akira (akira yamada)
- Status changed from Open to Assigned
- File uri-parse-query-pct-encoded.patch uri-parse-query-pct-encoded.patch added
I agree that this is a bug that should be fixed. The implementation automatically percent escapes invalid characters instead of rejecting them by design. However, I don't think that implies we should accept invalid percent escapes already present. Attached is a patch that should fix the issue.