the Network.URI parser

Graham Klyne GK at
Tue May 27 04:48:33 EDT 2008


I haven't looked at this code in a while, but... as far as I'm aware it's stable 
and reliable.  The parser was written to follow, as closely as I could manage, 
the specification in RFC2396 ( - experience 
in writing this parser was used as feedback (among many others) in the 
development of RFC2396.

The parser does not attempt to be in any respect scheme-aware.  The parentheses 
here are, as far as I'm aware, quite legitimate in a generic URI, and I think no 
warning or refusal is appropriate for a generic URI parser.  (URIs can be and 
are used in many places other than web pages.)

However, there are additional constraints that may be appropriate for specific 
URI schemes - maybe like reserving parentheses as you suggest - and were I to 
implement these I would do so in a layer built upon the generic URI parser: 
given the generic parse, a lookup on the scheme name could select an additional 
validation function.


Peter Gammie wrote:
> Hello,
> I'm wondering what the state of this parser is.
> It parses the contents of the src attribute in the following:
> <p><img src="javascript:alert('XSS');" alt=""/></p>
> which causes IE 5.5 (and probably 6) to show a dialog box. (I lifted 
> this example from the list at
> I was hoping the parser in Network.URI would choke on it - the 
> parentheses are reserved, at least.
> cheers
> peter

Graham Klyne
Contact info:

More information about the Libraries mailing list