Add uncommon URL escape sequence test page #261
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
not-a-rootkit
requested review from
kdzwinel and
jonathanKingston
as code owners
kdzwinel
reviewed
Mar 4, 2025
| @@ -40,6 +40,7 @@ <h2>Redirects</h2> | |||
|
|
|||
| <h2>Edge Cases</h2> | |||
| <ul> | |||
| <li><a href="./phishing badͮ.html">Phishing Page With Abnormal URL Escape Sequences</a></li> | |||
There was a problem hiding this comment.
I see that cheeky "dͮ". Is that the only trick here? Or is that space a part of it?
There was a problem hiding this comment.
chat tells me the space is special (I was trying to see if we can get rid of it because I hate spaces in file names, but if this is part of the test I will have to live with it)
kdzwinel
approved these changes
Mar 4, 2025
| @@ -40,6 +40,7 @@ <h2>Redirects</h2> | |||
|
|
|||
| <h2>Edge Cases</h2> | |||
| <ul> | |||
| <li><a href="./phishing badͮ.html">Phishing Page With Abnormal URL Escape Sequences</a></li> | |||
There was a problem hiding this comment.
chat tells me the space is special (I was trying to see if we can get rid of it because I hate spaces in file names, but if this is part of the test I will have to live with it)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Asana Task: https://app.asana.com/0/0/1209499937941767/f
We discovered that certain escape sequences may break our protections. After discussing with Netcraft, they confirmed that they make no attempt to URL decode before building regular expressions. Therefore, all URL encoding should be taken as is by the clients.
This PR introduces one such phishing sample page.