fix: Adjust Core.AllowHostnameUnderscore to consider that "_" is defined as Unreserved Characters in RFC 3986#406
Merged
ezyang merged 2 commits intoezyang:masterfrom Apr 19, 2024
Conversation
8a68a51 to
ed438c3
Compare
…ned as Unreserved Characters in RFC 3986
ed438c3 to
672a6a1
Compare
ezyang
reviewed
Apr 18, 2024
| // The productions describing this are: | ||
| $a = '[a-z]'; // alpha | ||
| $an = '[a-z0-9]'; // alphanum | ||
| $an = "[a-z0-9$underscore]"; // alphanum |
Owner
There was a problem hiding this comment.
can you update the comment above too?
Contributor
Author
There was a problem hiding this comment.
Would it be ok to update the comment as follows?
$an = "[a-z0-9$underscore]"; // alphanum | "_"
$and = "[a-z0-9-$underscore]"; // alphanum | "-" | "_"
Owner
There was a problem hiding this comment.
oops, I meant
// This doesn't match I18N domain names, but we don't have proper IRI support,
// so force users to insert Punycode.
// There is not a good sense in which underscores should be
// allowed, since it's technically not! (And if you go as
// far to allow everything as specified by the DNS spec...
// well, that's literally everything, modulo some space limits
// for the components and the overall name (which, by the way,
// we are NOT checking!). So we (arbitrarily) decide this:
// let's allow underscores wherever we would have allowed
// hyphens, if they are enabled. This is a pretty good match
// for browser behavior, for example, a large number of browsers
// cannot handle foo_.example.com, but foo_bar.example.com is
// fairly well supported.
Contributor
Author
There was a problem hiding this comment.
Thank you. I got it.
I have updated the comment. Please check it.
// Underscores defined as Unreserved Characters in RFC 3986 are
// allowed in a URI. There are cases where we want to consider a
// URI containing "_" such as "_dmarc.example.com".
// Underscores are not allowed in the default. If you want to
// allow it, set Core.AllowHostnameUnderscore to true.
Contributor
Author
There was a problem hiding this comment.
Thank you for your confirmation and merging!
matsuo
added a commit
to matsuo/htmlpurifier
that referenced
this pull request
Apr 18, 2024
matsuo
added a commit
to matsuo/htmlpurifier
that referenced
this pull request
Apr 18, 2024
0100c1c to
c8b4404
Compare
c8b4404 to
dbe18a8
Compare
ezyang
approved these changes
Apr 19, 2024
github-actions Bot
pushed a commit
that referenced
this pull request
Nov 1, 2024
# [4.18.0](v4.17.0...v4.18.0) (2024-11-01) ### Bug Fixes * Adjust Core.AllowHostnameUnderscore to consider that "_" is defined as Unreserved Characters in RFC 3986 ([#406](#406)) ([d9fbef8](d9fbef8)) * Avoid a deprecated error when the attribute name is numeric and DirectLex is used ([#412](#412)) ([f0fbf51](f0fbf51)) * checking that node has property name ([#399](#399)) ([9ca5a36](9ca5a36)) * Ignore conditional comments ([#401](#401)) ([4828fdf](4828fdf)) * Support PHP 8.4 ([#396](#396)) ([92da247](92da247)) * undefined array key warning ([#419](#419)) ([01be377](01be377)) ### Features * Add allowfullscreen attr for iframe ([#411](#411)) ([70754a2](70754a2)) * add directive for removing blank nodes ([#404](#404)) ([c9d60c9](c9d60c9)) * Add support for CSS aspect-ratio ([#408](#408)) ([93bee73](93bee73)) * Allow universal CSS values for all properties ([#410](#410)) ([9723267](9723267))
|
🎉 This PR is included in version 4.18.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hello,
Thank you so much for developing and maintaining HTML Purifier.
I have created a pull request for #405.
Recently, we have seen cases where we want to consider URIs that contain "_", such as "_dmarc.example.com".
I think this PR adjusts Core.AllowHostnameUnderscore to consider that "_" is defined as Unreserved Characters in RFC 3986.
Thank you.