You can use newline characters in URLs

Posted by chmaynard 3 days ago

You can use newline characters in URLs(lemire.me)

62 points | 31 comments

bawolff 22 minutes ago|

This sort of thing is sometimes used in so-called "scriptless xss" attacks, where if you can force the website to have an unclosed url, you can capture part of the page contents (hopefully containing secrets) and exfiltrate it.

To the point where chrome stopped allowing newlines in some circumstances https://chromestatus.com/feature/5735596811091968

bmandale 5 hours ago||

>Remove all ASCII tab or newline from input.

the title is referring to inside html attributes, where they will be removed hence not affect where the link points.

joshuahaglund 5 hours ago||

Yeah "You can use newline or tab characters in the HREF attribute and the browser will throw a validation error, remove the offending character, try again, then succeed" would be a more accurate title.

shiomiru 1 hour ago||

Validation errors aren't really "exceptions" to be thrown, they are indicators for authors that something is probably wrong but they make no visible difference in the output. I'm not sure if any browser even tracks them (and if one did, the best it could do is complain in the dev tools).

Also, this is not limited to HREF, it's defined in URL[0] so you can also put newlines in new URL("...") etc.

[0]: https://url.spec.whatwg.org/#concept-basic-url-parser

locknitpicker 2 hours ago||

> the title is referring to inside html attributes, where they will be removed hence not affect where the link points.

I thought so too, until I read the URL definition in RFC 1738

   In some cases, extra whitespace (spaces, linebreaks, tabs, etc.) may need to be added to break long URLs across lines.  The whitespace should be ignored when extracting the URL.

   No whitespace should be introduced after a hyphen ("-") character. Because some typesetters and printers may (erroneously) introduce a hyphen at the end of line when breaking a line, the interpreter of a URL containing a line break immediately after a hyphen should ignore all unencoded whitespace around the line break, and should be aware that the hyphen may or may not actually be part of the URL.

pants2 5 hours ago||

You can put pickle juice in your cereal too

nine_k 5 hours ago||

When you write a regexp to detect liquids in your cereal, you have to account for the pickles, that is, newlines an tabs.

dotancohen 3 hours ago|||

Don't forget about the pickled cabbage (vertical tabs) and pickled pigs foot (null bytes).

dylan604 5 hours ago||

I was thinking similar. Just another example of just because you can doesn't mean you should.

_ZeD_ 41 minutes ago||

Yeah, they might be ignored by the html parser and might "work".

Still, not a bright idea.

layman51 5 hours ago||

After I read this, I started to look at the Wikipedia article on Base64 and eventually got to the article for the data URI scheme. That's where I found a sentence that seems to a little bit at odds with the blogpost. The Wikipedia article mentions that "whitespace characters are not permitted in data URIs".

But then I suppose it goes back to the main thrust of the blogpost because it says that in the context of HTML 4 and 5, that linefeeds within an attribute value are ignored. So possibly there are some other contexts where whitespace might not be ignored.

TZubiri 4 hours ago|

They are not, but you can encode them, if you encode whitespace characters, you included whitespace in a URL.

One of the requirement of URLs is that it needs to be transmissible over paper or aural media, so arbitrary octets and the unused portion of ASCII are not legal either.

yndoendo 4 hours ago||

Don't forget about pigeon packets. https://www.rfc-editor.org/rfc/rfc2549

TZubiri 1 hour ago||

Seems to be RFC 1149, btw, (what you linked is about Pigeon QoS.)

Somwhere after DNS IP and SMTP, but still before HTTP(1.0).

sheept 4 hours ago||

Somewhat relatedly, GitHub Pages does support using URL-encoded newline characters %0A to reference file names with newlines,[0] but GitHub itself will omit the file from the web UI's tree view.

[0]: https://sheeptester.github.io/hello-world/test/%20%0A%20%0A/...

renewiltord 5 hours ago||

I don't even put space characters in my filenames. May MyDocu~1 live on forever.

galaxyLogic 2 hours ago|

I try to use "_" instead of whitespace in filenames. Means no need to URI-encode them ever. If you have a space you don't know whether it's a tab or space. Or maybe two spaces. Also when you tell somebody what the file-name is, you don't prnounce spaces.

simonjgreen 29 minutes ago||

“Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should”