Skip to content

Are URL objects guaranteed to sanitize path traversal attacks? #38452

Closed Answered by jasnell
Qix- asked this question in General
Discussion options

You must be logged in to vote

The new URL() object is an implementation of the WHATWG URL Standard. The parsing algorithm is fairly complex but, yes, it has always included normalization of the URL during parse. There's no security discussion in that spec as it deals specifically with parsing and serialization and not with the use of those URLs which is a separate issue.

Replies: 1 comment 1 reply

Comment options

You must be logged in to vote
1 reply
@Qix-
Comment options

Answer selected by Qix-
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
whatwg-url Issues and PRs related to the WHATWG URL implementation.
2 participants