Hi Ignace, I have just added the SensitiveParameter attribute to the Uri\Rfc3986\Uri::withUserInfo() and Uri\WhatWg\Url::withPassword() methods.
> Reading the WHATWG URL specification and checking how > > - Chrome, > - Firefox > - and even https://github.com/TRowbotham/URL-Parser > > > behave I see that mutator either silently reject the invalid input on > setter or normalize them I was wondering if it still make sense to still > say that URL mutator can throws InvalldUrlException ? Since AFAIK only a > TypeError could actually be thrown if the wrong input is given, no > specially crafted string can make the spec throw unless I have overlooked > it. > I double the checked the implementation, and I quickly managed to find a case when an exception is thrown: $url = new Uri\WhatWg\Url("https://example.com";); $url->withHost("[1.2.3.4"); The above code will throw a Uri\WhatWg\InvalidUrlException that refers to the "IPv6-unclosed" WHATWG URL error, so I think it makes sense to keep the current behavior, especially with respect to possible future changes of the specification. Regards, Máté
