URLs posted with @ in the path are not autolinked properly, are they valid?

Question

I have a site where users post comments. Often, those comments have URLs to a video streaming site with URLs in the following format:

enter image description here

My site does not link the latter part comprising @57m58s which leads them to that specific part of the video.

I tried to determine if this URL format is indeed valid by going through the RFC for URL format. I'm also trying to find out if it has ramifications from the security perspective because these are added as comments in the site. (The comments don't allow users to add HTML content).

Is implementing a filter to ensure that the URL is fully linked inclusive of @time valid? Could it be a security concern?

Based on your profile, I'm guessing this is a problem with Drupal. I created a Drupal sandbox to test it. Here is the screenshot. Drupal does not link the @57m58s portion of the URL. — Stephen Ostermiller, Mar 03 '15 at 17:41
Thanks for the time and effort you put into this! Really appreciate it. — optimusprime619, Mar 04 '15 at 13:41

score 3 · Answer 1 · edited May 23 '17 at 12:37

3

As explained in this SO article, ~~@ is a reserved symbol and should not be used directly in URLs. However, it should work when URL encoded.~~

Correction: @ is a legal character for the path component, and should work. Nevertheless, if reality disagrees with theory, trying a practical solution isn't a bad idea.

Therefore, a form filter that converts raw @ to %40 might solve your problem.

edited May 23 '17 at 12:37

Community

1

answered Mar 03 '15 at 15:16

Foo Bar

243
1
10

According to my answer in the linked question, @ can be used directly (i.e., unencoded) in the path. – unor Mar 03 '15 at 15:31
Res ipsa loquitur. Raw @ isn't working properly on the asker's site. RFC-compliant percent encoding addresses his concerns. – Foo Bar Mar 03 '15 at 15:36
We don’t know why it is not working. Using @ without percent-encoding works perfectly fine for various other sites (including twitter.com). It might be the case that percent-encoding helps the OP in his specific context (which we don’t know yet), but it’s not correct to state that @ "should not be used directly". 2. It is also RFC-compliant not to percent-encode @ in the path.

unor

Mar 03 '15 at 15:42

Stephen Ostermiller · Accepted Answer · 2015-03-03T19:28:54.743

A URL with an @ in the path is valid. RFC 2396 talks about @ in section 2.2. It is a "reserved character". That means that it is allowed in the URL, but that it might have special meaning depending on the spec for that particular URL. In the case of HTTP URLs, there is no special meaning for @ in the path portion. Therefore, it is a legitimate character that may be used by webmasters.

Any software which attempts to use heuristics to identify URLs and autolink them should allow an @ in the path of a HTTP URL.

There are some possible security implications from allowing the path of a linked URL to contain @:

The @ does have special meaning in the domain name portion of a HTTP URL. There it specifies the user name and password for basic authentication. Auto linking a URL like http://user:pass@example.com/ could cause users that click it to automatically log into another site with the specified user and password.
Auto linking a URL like www.example.com@foo.example.net could be problematic. Is that an email address? Is that an attempt to get somebody to log into foo.example.net as the user www.example.com?

In my opinion, these security concerns are minor and would be mitigated by ensuring that any implementation restricts the allowed @ to the portion after the domain name and slash. StackExchange sites do autolink URLs with @ in the path. So doing so is not without precedent.

URLs posted with @ in the path are not autolinked properly, are they valid?

2 Answers2