Hi! Maybe this has no practical implications, but this has been bugging me for a couple of years now, ever since I started using django.core.signing to generate tokens: if you take a look at
https://github.com/django/django/blob/master/django/core/signing.py the comment at the top says There are 65 url-safe characters: the 64 used by url-safe base64 and the ':'. These functions make use of all of them. Yet, : is specifically mentioned as a reserved character: https://perishablepress.com/stop-using-unsafe-characters-in-urls/ It is used for the scheme "https:". encodeURIComponent(":") returns "%3A". If I do a test with a link like <a href="/:baz/?foo:=:bar"> in Firefox, the browser doesn't quote any of the colons, though. OTOH, if you put in "foo:bar/" as a relative link, foo: is interpreted as a scheme. So it's not unconditionally safe. Furthermore, the above page lists some more characters as safe: $-_.+!*'(), Of these only -_.!*'() are not quoted by encodeURIComponent and -_ (and perhaps .) are already taken by signing code. But in any case, the comment, although satisfying to read, is AFAICT incorrect? I don't know if it is worth it to switch to another default separator (say *). There would need to be a fallback to : for some years at least. Ole -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/4b0fb342-53d8-4f36-90b6-d450e24bfdab%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
