New submission from ready-research :
`urlparse` mishandles certain uses of extra slash or backslash(such as
https:/// , https:/, https:\) and interprets the URI as a relative path.
A userland logic implementation that bases its decision on the urlparse()
function may introduce a security
ready-research added the comment:
Some other examples to test this behaviour:
urlparse('https:/\/\/\www.attacker.com/a/b')
urlparse('https:/\www.attacker.com/a/b')
## Comparing it to other languages/runtimes
How do other languages and their runtimes work with URL parsin
ready-research added the comment:
Node.js is recommending using WHATWG URL API. Which handles all these
correctly. We can test the same using https://jsdom.github.io/whatwg-url/
For example test the below and will return the same(correct) for all.
https:///www.attacker.com/a/b
https
