Normally browsers do not send # or any following content to the server. It feels like it ought not be included.
Normally spaces should be url-encoded as %20. It feels like it ought not be included.
$() ` | {} all feel likely to be attempts to tickle shells in various ways and unlikely to be useful in "real" redirects. I think these ought not be included.
The whitelist is currently:
" !\"#$%& '()*+,- ./0123456789: ;<=>?@ABCDEFGHI JKLMNOPQRSTUVWX YZ[\\]^ _`abcdefghijklm nopqrstuvwxyz{ |}~"
Normally browsers do not send # or any following content to the server. It feels like it ought not be included.
Normally spaces should be url-encoded as %20. It feels like it ought not be included.
$() ` | {} all feel likely to be attempts to tickle shells in various ways and unlikely to be useful in "real" redirects. I think these ought not be included.
Thanks