-
I noticed today that console.log(new URL('https://foo.com/../../../foo.png').pathname); //-> /foo.png I can't find any docs mentioning this and a cursory search reveals nothing mentioning this from a security perspective. Was this always the behavior? If so, is this specified somewhere so that it's guaranteed to be the case in the future? Are there caveats to this behavior? Thanks for any information! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
The |
Beta Was this translation helpful? Give feedback.
The
new URL()
object is an implementation of the WHATWG URL Standard. The parsing algorithm is fairly complex but, yes, it has always included normalization of the URL during parse. There's no security discussion in that spec as it deals specifically with parsing and serialization and not with the use of those URLs which is a separate issue.