HN

Need help?
<- Back
You can use newline characters in URLs

You can use newline characters in URLs

chmaynard

Comments (35)

  • bawolff
    This sort of thing is sometimes used in so-called "scriptless xss" attacks, where if you can force the website to have an unclosed url, you can capture part of the page contents (hopefully containing secrets) and exfiltrate it.To the point where chrome stopped allowing newlines in some circumstances https://chromestatus.com/feature/5735596811091968
  • bmandale
    >Remove all ASCII tab or newline from input.the title is referring to inside html attributes, where they will be removed hence not affect where the link points.
  • sheept
    Somewhat relatedly, GitHub Pages does support using URL-encoded newline characters %0A to reference file names with newlines,[0] but GitHub itself will omit the file from the web UI's tree view.[0]: https://sheeptester.github.io/hello-world/test/%20%0A%20%0A/...
  • pants2
    You can put pickle juice in your cereal too
  • tomtomtom777
    > Effectively, the error is ignored although it might be logged. Thus our HTML is fine in practice.That is not the right mindset to create good things. If it's an error, it's not fine.
  • urbandw311er
    You’re a braver coder than me if you trade off potential errors in a massive pipeline of browsers, DNS, cache servers and proxies just so your code looks a bit neater! (EDIT: But this is a welcome, interesting post, just to be clear!)
  • layman51
    After I read this, I started to look at the Wikipedia article on Base64 and eventually got to the article for the data URI scheme. That's where I found a sentence that seems to a little bit at odds with the blogpost. The Wikipedia article mentions that "whitespace characters are not permitted in data URIs".But then I suppose it goes back to the main thrust of the blogpost because it says that in the context of HTML 4 and 5, that linefeeds within an attribute value are ignored. So possibly there are some other contexts where whitespace might not be ignored.
  • mike-cardwell
    This looks like a good way to trip up crappily built bots
  • _ZeD_
    Yeah, they might be ignored by the html parser and might "work".Still, not a bright idea.
  • renewiltord
    I don't even put space characters in my filenames. May MyDocu~1 live on forever.
  • behnamoh
    title is misleading. I agree with @bmandale's comment.
  • est
    on a side note you can use many surprising non-standard HTTP verbs, but many CDNs like Cloudflare filter them
  • blacktarmac
    Wild! I like it thanks for the writeup!
  • bubblewand
    Vertical tabs in file names is where it’s at.
  • simonjgreen
    “Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should”
  • etothet
    “Hey you got new lines in my URLs!”“You got URLs in my new lines!”
  • TZubiri
    Cool thanks I 100% will not, if only because newlines are header separators in HTTP.
  • vivzkestrel
    - https://lemire.me/blog/ I am not able to see a quick list of all the posts on your blog, I tried all the pages- https://lemire.me/posts- https://lemire.me/archive- https://lemire.me/archives- Everyone of them gives me a 404, can you kindly add some page on your blog form where I can just see the titles of all the articles quickly?- Most blogs posted on HN are not user friendly in this regard, sometimes the reader wants a quick glimpse of everything on 1 page so that they can quickly pick interesting stuff
  • jprjr_
    I stopped reading Daniel Lemire a while back.He had a blog post that seemed just weird and out of left field. Like it was clearly a response to something but what? What was the motivation for it?When asked he said y'know. He just thinks about stuff and writes and that's what he does.Turns out the blog post was a post he also made on social media. And said post was a response to something. And I guess he thought it was pretty good writing and should go on his blog, too.Nothing wrong with that on it's own but I feel like most people would preface a post like that with "I saw this thing." And when directly asked like... He just straight up lied?That whole thing just rubbed me the wrong way.For full context https://lemire.me/blog/2025/10/17/research-results-are-cultu...In the comments I turned into kind of a dick. I was pretty upset about being lied to.Anyways between that and articles like this that are honestly useless and kinda misleading - I'm not really the biggest fan.