Technical Analysis: Why Collapsing Double Slashes in HTTP URL Paths is Not Valid Normalization
(See discussion on Lobsters.)
Read the full articleYou might also wanna read

Access - Fix redirect URL fragment encoding for single-page applications
Access now correctly preserves URL fragment characters ( / , ? , = , & , ; ) when redirecting users back to an application after login. Prev

Workers - Workers Static Assets: Corrected handling of double slashes in redirect rule paths
Static Assets : Fixed a bug in how redirect rules defined in your Worker's _redirects file are processed. If you're serving Static Assets wi
GHSA-j3vx-7xgh-q759
phpMyFAQ versions before 4.1.5 have an authenticated path traversal vulnerability in the concatenatePaths() function. A user with FAQ editin
Recursive URL Decoding Can Expose Servers to CPU-Draining Decode Bomb Attacks
A security concern known informally as a 'decode bomb' arises when server-side code loops URL decoding until a string stops changing, allowi
Discovering an Ambiguous URL with Brace Expansion
Imagine a non-technical person has sent you a URL with a long random string in it, printed on paper in a font where I and l look identical (
CVE-2026-55464: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in grokability snipe-it
Snipe-IT versions prior to 8.6.2 contain a cross-site scripting (XSS) vulnerability due to improper sanitization of javascript: URIs in Mark

Comments
Sign in to join the conversation.
No comments yet. Be the first.