@ character allowed in URL, dangerous?

From the CodeIgniter config.php file:

/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|-----------开发者_高级运维---------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
| within your URLs.  When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible.  By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

Would it be safe for me to add the @ character to this list of permitted characters? What are the risks?

Thanks

---

@ is used to prepend username and possibly password to URL-s that require HTTP auth. How that is insecure I can not tell from this comment. Theoretically, depending on the context you may not want users to enter such url-s.

Other than that this kind of security check is a bit .. dumb, there are increasing amounts of top-level domains out there that use characters others than ASCII, Russia was allocated .рф, Mainland China got .中國, there are many more examples.

http://en.wikipedia.org/wiki/Internationalized_domain_name

---

its safe, see the list of unsafe chars

http://www.blooberry.com/indexdot/html/topics/urlencoding.htm

---

It is not listed here to prevent this kind of url:

http://mybank.com-some-very-long-string@hacker.com/

This would go to hacker.com while looking like mybank.com to casual ussr.

---

You shouldn't, unless you encode it. The unencoded @ is reserved for a special meaning, like an FTP user (monty@ftp.python.com) or an email address (monty.python@camelot.com).

So, regardless of the temptation, don't do it. Why would you want to anyway?

---

RFC 1738 permits only the following characters in the path segment of a URI: A-Za-z0-9_\-\.!~*\'"(), (not the query part)

---

You can find more specific details about it here, it suggest you how you can use dangerous characters too using encoding

http://perishablepress.com/stop-using-unsafe-characters-in-urls/ more over javascript:could be danger

You can use &lt replacing < signs and other special danger characters with respective substitutes.