starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Custom Link Model - semicolon (;) is sanitized during rendering #8094

New Issue
Closed
opened 2025-12-29 20:32:18 +01:00 by adam · 5 comments
adam commented 2025-12-29 20:32:18 +01:00
Owner
Copy Link

Originally created by @o4sis on GitHub (May 19, 2023).

Originally assigned to: @arthanson on GitHub.

NetBox version

v3.51

Python version

3.8

Steps to Reproduce

  1. Customization -> Custom Links -> Entry -> Link URL
  2. ; changed to %03B when following link.

Expected Behavior

Render ';' instead of %3B.

Observed Behavior

; is changed to %3B.

Sanitization on the custom link rendering added in 89fa546a prevents '';" in URL. Adding ';' into allowed list resolves issue.

# Sanitize link  
-        link = urllib.parse.quote_plus(link, safe='/:?&=%+[]@#')
+        link = urllib.parse.quote_plus(link, safe='/:?&=%+[]@#;')
Originally created by @o4sis on GitHub (May 19, 2023). Originally assigned to: @arthanson on GitHub. ### NetBox version v3.51 ### Python version 3.8 ### Steps to Reproduce 1. Customization -> Custom Links -> Entry -> Link URL 2. ; changed to %03B when following link. ### Expected Behavior Render ';' instead of %3B. ### Observed Behavior ; is changed to %3B. Sanitization on the custom link rendering added in 89fa546a prevents '';" in URL. Adding ';' into allowed list resolves issue. ```python # Sanitize link - link = urllib.parse.quote_plus(link, safe='/:?&=%+[]@#') + link = urllib.parse.quote_plus(link, safe='/:?&=%+[]@#;') ```
adam added the type: bugstatus: accepted labels 2025-12-29 20:32:18 +01:00
adam closed this issue 2025-12-29 20:32:19 +01:00
adam commented 2025-12-29 20:32:19 +01:00
Author
Owner
Copy Link

@jsenecal commented on GitHub (May 19, 2023):

As per rfc1738 and rfc3986;

The semicolon ";" is reserved and may not appear without quoting [...]

@jsenecal commented on GitHub (May 19, 2023): As per [rfc1738](https://www.ietf.org/rfc/rfc1738.txt) and [rfc3986](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2); > The semicolon ";" is reserved and may not appear without quoting [...]
adam commented 2025-12-29 20:32:19 +01:00
Author
Owner
Copy Link

@o4sis commented on GitHub (May 19, 2023):

@jsenecal - Please revisit the RFCs and reopen issue. The semicolon ';' is reserved and in the same class as a '?'.

@o4sis commented on GitHub (May 19, 2023): @jsenecal - Please revisit the RFCs and reopen issue. The semicolon ';' is reserved and in the same class as a '?'.
adam commented 2025-12-29 20:32:20 +01:00
Author
Owner
Copy Link

@jsenecal commented on GitHub (Jul 12, 2023):

@jsenecal - Please revisit the RFCs and reopen issue. The semicolon ';' is reserved and in the same class as a '?'.

Can you please link to the RFC and provide sections where you have information corroborating your point ?

@jsenecal commented on GitHub (Jul 12, 2023): > @jsenecal - Please revisit the RFCs and reopen issue. The semicolon ';' is reserved and in the same class as a '?'. Can you please link to the RFC and provide sections where you have information corroborating your point ?
adam commented 2025-12-29 20:32:20 +01:00
Author
Owner
Copy Link

@o4sis commented on GitHub (Jul 12, 2023):

https://www.ietf.org/rfc/rfc1738.txt
RFC 1738 Uniform Resource Locators (URL) December 1994

Reserved:

Many URL schemes reserve certain characters for a special meaning:
their appearance in the scheme-specific part of the URL has a
designated semantics. If the character corresponding to an octet is
reserved in a scheme, the octet must be encoded. The characters ";",
"/", "?", ":", "@", "=" and "&" are the characters which may be
reserved for special meaning within a scheme. No other characters may
be reserved within a scheme.

Berners-Lee, Masinter & McCahill [Page 8]

RFC 1738 Uniform Resource Locators (URL) December 1994

3.3. HTTP

The HTTP URL scheme is used to designate Internet resources
accessible using HTTP (HyperText Transfer Protocol).

The HTTP protocol is specified elsewhere. This specification only
describes the syntax of HTTP URLs.

An HTTP URL takes the form:

  http://<host>:<port>/<path>?<searchpart>

where and are as described in Section 3.1. If :
is omitted, the port defaults to 80. No user name or password is
allowed. is an HTTP selector, and is a query
string. The is optional, as is the and its
preceding "?". If neither nor is present, the "/"
may also be omitted.

Within the and components, "/", ";", "?" are
reserved. The "/" character may be used within HTTP to designate a
hierarchical structure.

Berners-Lee, Masinter & McCahill [Page 19]

RFC 1738 Uniform Resource Locators (URL) December 1994

alpha = lowalpha | hialpha
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" |
"8" | "9"
safe = "$" | "-" | "_" | "." | "+"
extra = "!" | "*" | "'" | "(" | ")" | ","
national = "{" | "}" | "|" | "" | "^" | "~" | "[" | "]" | "`"
punctuation = "<" | ">" | "#" | "%" | <">

reserved = ";" | "/" | "?" | ":" | "@" | "&" | "="
hex = digit | "A" | "B" | "C" | "D" | "E" | "F" |
"a" | "b" | "c" | "d" | "e" | "f"
escape = "%" hex hex

unreserved = alpha | digit | safe | extra
uchar = unreserved | escape
xchar = unreserved | reserved | escape
digits = 1*digit

https://datatracker.ietf.org/doc/html/rfc3986#section-2.2
2.2. Reserved Characters

URIs include components and subcomponents that are delimited by
characters in the "reserved" set. These characters are called
"reserved" because they may (or may not) be defined as delimiters by
the generic syntax, by each scheme-specific syntax, or by the
implementation-specific syntax of a URI's dereferencing algorithm.
If data for a URI component would conflict with a reserved
character's purpose as a delimiter, then the conflicting data must be
percent-encoded before the URI is formed.

  reserved    = gen-delims / sub-delims

  gen-delims  = ":" / "/" / "?" / "#" / "[" / "]" / "@"

  sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
              / "*" / "+" / "," / ";" / "="
@o4sis commented on GitHub (Jul 12, 2023): https://www.ietf.org/rfc/rfc1738.txt RFC 1738 Uniform Resource Locators (URL) December 1994 Reserved: Many URL schemes reserve certain characters for a special meaning: their appearance in the scheme-specific part of the URL has a designated semantics. If the character corresponding to an octet is reserved in a scheme, the octet must be encoded. **The characters ";",** "/", "?", ":", "@", "=" and "&" are the characters which may be reserved for special meaning within a scheme. No other characters may be reserved within a scheme. Berners-Lee, Masinter & McCahill [Page 8] RFC 1738 Uniform Resource Locators (URL) December 1994 3.3. HTTP The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol). The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs. An HTTP URL takes the form: http://<host>:<port>/<path>?<searchpart> where <host> and <port> are as described in Section 3.1. If :<port> is omitted, the port defaults to 80. No user name or password is allowed. <path> is an HTTP selector, and <searchpart> is a query string. The <path> is optional, as is the <searchpart> and its preceding "?". If neither <path> nor <searchpart> is present, the "/" may also be omitted. Within the <path> and <searchpart> **components, "/", ";", "?" a**re reserved. The "/" character may be used within HTTP to designate a hierarchical structure. Berners-Lee, Masinter & McCahill [Page 19] RFC 1738 Uniform Resource Locators (URL) December 1994 alpha = lowalpha | hialpha digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" safe = "$" | "-" | "_" | "." | "+" extra = "!" | "*" | "'" | "(" | ")" | "," national = "{" | "}" | "|" | "\" | "^" | "~" | "[" | "]" | "`" punctuation = "<" | ">" | "#" | "%" | <"> **reserved = ";" | "/" | "?" | ":" | "@" | "&" | "="** hex = digit | "A" | "B" | "C" | "D" | "E" | "F" | "a" | "b" | "c" | "d" | "e" | "f" escape = "%" hex hex unreserved = alpha | digit | safe | extra uchar = unreserved | escape xchar = unreserved | reserved | escape digits = 1*digit https://datatracker.ietf.org/doc/html/rfc3986#section-2.2 [2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2). Reserved Characters URIs include components and subcomponents that are delimited by characters in the "reserved" set. These characters are called "reserved" because they may (or may not) be defined as delimiters by the generic syntax, by each scheme-specific syntax, or by the implementation-specific syntax of a URI's dereferencing algorithm. If data for a URI component would conflict with a reserved character's purpose as a delimiter, then the conflicting data must be percent-encoded before the URI is formed. reserved = gen-delims / sub-delims gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@" sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="
adam commented 2025-12-29 20:32:20 +01:00
Author
Owner
Copy Link

@jsenecal commented on GitHub (Jul 13, 2023):

Thanks for the additionnal information. Would you mind if I assigned this to you since you already provided a fix ?

@jsenecal commented on GitHub (Jul 13, 2023): Thanks for the additionnal information. Would you mind if I assigned this to you since you already provided a fix ?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#8094
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?