mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-15 20:09:18 -05:00
[Bug] Some symbols not encoded, stripped by browser on navigation #14287
Closed
opened 2025-11-02 11:08:42 -06:00 by GiteaMirror
·
14 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
No Label
issue/needs-feedback
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#14287
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @OdinVex on GitHub (Mar 21, 2025).
Description
I've got some files that require the
@symbol in their name. Attempting to browse to them via the web UI results in the browser stripping@onward (trims entire string), resulting in a404unless I copy the link and use%40to encode the URL, then it works.Example File:
example@example.extbecomesexamplewhen clicking on the link. Thehrefandtitleare output raw with@shown. Perhaps browsers might suspect it's an attempt to login or something.Gitea Version
Forgejo
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Docker.
Database
MySQL/MariaDB
@wxiaoguang commented on GitHub (Mar 21, 2025):
What browser your are using? I can't reproduce it on my side.
@OdinVex commented on GitHub (Mar 21, 2025):
LibreWolf. Not sure if it matters, but it's in a subfolder.
@wxiaoguang commented on GitHub (Mar 21, 2025):
There is no problem for sub folder, see the screenshot
And by the way,
@is a valid char for URL path, it doesn't need to be encoded, see:https://stackoverflow.com/questions/4669692/valid-characters-for-directory-part-of-a-url-for-short-links
So maybe it is the browser's bug?
@OdinVex commented on GitHub (Mar 21, 2025):
"Although these are 79 characters in total that can be used in a path segment literally, some user agents do encode some of these characters as well (e.g. %7E instead of ~). That’s why many use just the 62 alphanumeric characters (i.e. A–Z, a–z, 0–9) or the Base 64 Encoding with URL and Filename Safe Alphabet (i.e. A–Z, a–z, 0–9, -, _)." From the first 'answer' in that Stackoverflow link.
@wxiaoguang commented on GitHub (Mar 21, 2025):
So that's the user agent (browser)'s bug, it should follow the standard to accept
@@wxiaoguang commented on GitHub (Mar 21, 2025):
That answer just means: any char could be encoded, for example:
acould also be encoded, and all user agents are able to decode it.But it doesn't mean that a user agent should be unable to handle the standard chars like
@.@OdinVex commented on GitHub (Mar 21, 2025):
https://www.rfc-editor.org/rfc/rfc3986.txt
"Percent-encoding a reserved character, or decoding a percent-encoded octet that corresponds to a reserved character, will change how the URI is interpreted by most applications."
So it can be interpreted differently, perhaps it should be unambiguous in the interpretation by encoding it so it's seen as data rather than a part of scheme? Maybe I'm missing something, but it appears that way. I'll try asking LibreWolf about it, maybe they can upstream a fix, but I don't see any harm in encoding it.
@wxiaoguang commented on GitHub (Mar 21, 2025):
That part doesn't really apply to the "path encoding"
And you can see Golang also follows the standard: no need to encode
@.We always use the official and standard libraries, so if there is a bug, the bug should be reported to Golang
@OdinVex commented on GitHub (Mar 21, 2025):
The fact it can be interpreted between scheme and application suggests it's up to the implementation, at least what I'm concluding from the RFC. Maybe I'm wrong, I'll try to find out where/who it needs to go. I've wrote a ViolentMonkey script to rewrite the URIs on every page to encode
@for now.Edit: Not sure if it matters, but the actual file path was
https://.../src/branch/lineage-22.1/proprietary/odm/bin/hw/android.hardware.drm@1.3-service.widevineand raw HTML (relative link with stripped user/repo):.../src/branch/lineage-22.1/proprietary/odm/bin/hw/android.hardware.drm@1.3-service.widevine, a cloned repo of an Android proprietary-bin dump for ROM development.@wxiaoguang commented on GitHub (Mar 21, 2025):
Let's take a look at more examples.
The widely used JS site: https://www.unpkg.com/
If your browser is unable to handle
@in a URL path, then it will have problems on various sites.@OdinVex commented on GitHub (Mar 21, 2025):
It worked there. I guess now I need to figure out why my browser is stripping it but only for this.
@wxiaoguang commented on GitHub (Mar 21, 2025):
And one more exmaple: https://www.jsdelivr.com/ . No site really needs to encode
@(but it is fine to encode).Then the
@encoding isn't the root case.No idea why some links doesn't work on your side.
@OdinVex commented on GitHub (Mar 21, 2025):
I'll try to figure out why, but encoding it does "fix" for this. I wonder if it's some kind of security/header or something specific to my instance.
@OdinVex commented on GitHub (Mar 21, 2025):
Figured it out. Buggy extension that doesn't report even seeing the URI. I've spent an hour trying to figure this out and that extension would normally show a notification it's doing something but didn't.
Redirectorsilently borked the link, so I'll take the issue to Redirector. Apologies.