> Adam Katz wrote: >> Relative URIs are only safe when prefacing the URI. Requiring the >> protocol beforehand should do the trick. Since "http://" is the >> implied protocol and is 8 chars, we get this: >> >> uri URI_HIDDEN /.{8}\/\../
Ned Slider wrote: > Yep - that works great for me and I understand the logic (I assume you > meant the protocol is a max of 8 chars as in "https://"). I was initially thinking https, but it appears SA's "uri" always converts relative URIs into "http://" links, so we want a "7" there. uri URI_HIDDEN /.{7}\/\../ I should also have noted that while this works around the SA bug, it also ignores hidden dirs and files appearing early in relative paths, like <a href="a.bc/.secret"> and of course it will have to be undone when SA patches that bug.