maybe they were looking for extra special characters like 🁄 or ⶸ. Who am I kidding, RFC 1738 tells us that literally everything is unsafe and you know, we need to prepare for the inevitable occasion when the password somehow ends up inside an URL.

The characters "<" and ">" are unsafe because they are used as the delimiters around URLs in free text;
the quote mark (""") is used to delimit URLs in some systems.
The character "#" is unsafe
The character "%" is unsafe

It ends up with

Thus, only alphanumerics, the special characters
$ - _ . + ! * ' ( ) ,
are safe

[–] protogen420@lemmy.blahaj.zone 5 points 2 weeks ago (1 children)

I am going put null on my password and you aren't stopping me

[–] Baizey@feddit.dk 2 points 2 weeks ago

Also [object Object] is always a classic to mess with any js

[–] planish@sh.itjust.works 5 points 2 weeks ago (1 children)

If the password is going in URLs you already have a problem.

[–] Quibblekrust@thelemmy.club 1 points 1 week ago (1 children)

It's safe for https.

[–] planish@sh.itjust.works 1 points 1 week ago (1 children)

In terms of the transport, sure.

But if you put the password in a URL, the user's browser is going to turn around and store that plaintext password in its history, then sync it to the user's other devices, and then pop it up on their screen in the address bar autocomplete, perhaps when the user is screen sharing or streaming to hundreds of people. The browser does not expect a password to be stored there and will mishandle it.

[–] Quibblekrust@thelemmy.club 2 points 1 week ago

Nah, if you type a password in a url, it gets turned into asterisks. Look: https://google.com/?password********************