A way to format SMS messages for use with browser autofill features such as HTML’s autocomplete=one-time-code.
110
stars
12
forks
source link
Parsing logic may accept hosts that are invalid to use with an https origin #6
Closed
majido closed 4 years ago
The current parsing algorithm accepts any character between '@' and space to be the host part of the origin.
However per URL spec host cannot contain certain characters: "A forbidden host code point is U+0000 NULL, U+0009 TAB, U+000A LF, U+000D CR, U+0020 SPACE, U+0023 (#), U+0025 (%), U+002F (/), U+003A (:), U+003C (<), U+003E (>), U+003F (?), U+0040 (@), U+005B ([), U+005C (), U+005D (]), or U+005E (^)."
I think it makes sense to verify the captured host is valid before accepting it.