{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 神经病院院长 的问题《What are the security risks of allowing all charac》','https://www.manongdao.com/q-395615.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm using the Codeigniter PHP framework. In one of the config files, you can set the allowed URL characters:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
So if I attempt to go to this url: website.com/controller/%22quotedString%22, I will get an error unless I append a quote to the permitted characters:
$config['permitted_uri_chars'] .= '"';
My application actually needs to allow all weird characters in the URL, but I don't want have a huge hardcoded list of characters. Codeigniter warns against allowing all characters:
/* |-------------------------------------------------------------------------- | Allowed URL Characters |-------------------------------------------------------------------------- | | As a security measure you are STRONGLY encouraged to restrict URLs to | as few characters as possible. By default only these are allowed: a-z 0-9~%.:_- | | Leave blank to allow all characters -- but only if you are insane. | | DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!! | */
They don't say exactly what are security issues with allowing all characters. So what are the issues?
There are no inherent security risks to allowing all possible characters in your URL. Security issues depend on what your application does with them.
See this answer. It pretty much explains what a user can do if you allow them to do whatever they want :) Basically, by not allowing '<' and "'" in your urls, you defend yourself from XSS and SQL Injections. However, if you escape properly and control everything I believe there is no problem in allowing all characters in a URL.