While we're on the topic of "X being broken" -- apparently URL parsing has to be done in stages, and each segment of a URL has different parsing rules. And java.net.URLEncoder is only useful for HTTP form encoding, not actual URLs.
http://blog.palominolabs.com/2013/10/03/creating-urls-correctly-and-safely/ Which means everyone using Java, over the last 20 years or so, has been parsing URLs the wrong way. I'm not sure there's enough face palm. Will.
_______________________________________________ langsec-discuss mailing list [email protected] https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
