You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Use of the format "user:password" in the userinfo field is
deprecated. Applications should not render as clear text any data
after the first colon (":") character found within a userinfo
subcomponent unless the data after the colon is the empty string
(indicating no password). Applications may choose to ignore or
reject such data when it is received as part of a reference and
should reject the storage of such data in unencrypted form. The
passing of authentication information in clear text has proven to be
a security risk in almost every case where it has been used.
This came up because I have to store a URL with userinfo in it as part of a webhook / callback with a 3rd party service. I am using a URL field, but unfortunately it won't save the value since it has userinfo in it. I could switch it to a regular Text field, but I'd prefer not to.
If you decide to support this, please make sure this more advanced URL works (ie, having %40 as part of the username or password):
jlahijani
changed the title
URL Sanitizer and doesn't support 'userinfo' subcomponent as defined by RFC3986
URL Sanitizer considers URL as invalid if it has *both* userinfo and %40
Feb 12, 2025
=== IGNORE THIS, SEE COMMENTS DIRECTLY AFTERWARD ===
Imagine you have this URL:
As you can see, it's using the following userinfo credentials in the URL:
ProcessWire's URL sanitizer thinks that's invalid, however PHP's FILTER_VALIDATE_URL correctly accepts it.
The spec for how URLs can be formatted is here:
https://datatracker.ietf.org/doc/html/rfc3986
The part about userinfo is here:
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1
Note how it says:
This came up because I have to store a URL with userinfo in it as part of a webhook / callback with a 3rd party service. I am using a URL field, but unfortunately it won't save the value since it has userinfo in it. I could switch it to a regular Text field, but I'd prefer not to.
If you decide to support this, please make sure this more advanced URL works (ie, having %40 as part of the username or password):
The text was updated successfully, but these errors were encountered: