Cannot use unicode in redirect URLs

[100phlecs]

Environment

• Elixir version (elixir -v): 1.15.2
• Phoenix version (mix deps): 1.7.6
• Operating system: MacOS

Actual behavior

When upgrading to 1.7.6, I received errors about invalid characters for a redirect to this URL: ~p"/traditional/characters/手"

** (ArgumentError) unsafe characters detected for local redirect in URL "/traditional/characters/%E6%89%8B"

Looking through the commit history, recently there were percents added as invalid characters for a redirect url.

Percents are necessary for encoding unicode into URLs, but I can no longer use unicode URLs for redirects.

Expected behavior

We should be able to use unicode URLs within redirects.

There's a PR #5482 that solves this issue while still taking care of the vulnerability which originated this, #5415

[chrismccord]

This is fixed by #5482, but I need some time to properly review it because it is security related. In the meantime you can always build the redirect yourself. Thanks!

[100phlecs]

That makes a lot of sense, I didn't give much thought to the security implications.
Important to get it right which requires some time—the last thing you want to do is accidentally reintroduce the vulnerability by rushing out another patch 😬

Thanks for the great framework! 🙂