// Escapes characters in text suitable for use as an external protocol handler
// command.
-// We %XX everything except alphanumerics and %-_.!~*'() and the restricted
-// chracters (;/?:@&=+$,).
+// We %XX everything except alphanumerics and -_.!~*'() and the restricted
+// chracters (;/?:@&=+$,#[]) and a valid percent escape sequence (%XX).
NET_EXPORT std::string EscapeExternalHandlerValue(const std::string& text);
// Appends the given character to the output string, escaping the character if
// Unescapes control characters such as %01. This INCLUDES NULLs. This is
// used for rare cases such as data: URL decoding where the result is binary
- // data. You should not use this for normal URLs!
+ // data. This flag also unescapes BiDi control characters.
+ //
+ // DO NOT use CONTROL_CHARS if the URL is going to be displayed in the UI
+ // for security reasons.
CONTROL_CHARS = 8,
// URL queries use "+" for space. This flag controls that replacement.