isURL not checking for unsafe characters

[omegdadi]

URLs should not container any of the following characters. isURL returns true for URLs that contain these characters. They should be encoded within the URL:

" < > # % { } | \ ^ ~ [ ] `

[profnandaa]

@omegdadi -- I want some clarification on this. Don't we have URL's with # e.g. #652 (comment), and %20 (url-encoded space), etc. What's really the valid list of "unsafe" characters?

[omegdadi]

That's a good question. The hash (#) seems to be okay only separate the URL from a fragment identifier, which is not considered part of the URL (e.g. what if your URL has 2, is it valid?). An encoded space is okay, but if you're testing a URL that has a literal space in it, it should fail.

See Character Encoding Chart in this post: https://perishablepress.com/stop-using-unsafe-characters-in-urls/
See page 2 of RFC for unsafe characters: http://www.ietf.org/rfc/rfc1738.txt

[profnandaa]

@omegdadi - happy to accept PR! 👍

[pano9000]

this is largely still valid in the latest version, but < and > do return false now.
The other ones still erroneously return true.