fix: URL fragment check (#305)

- Fix erroneously forbidden characters in fragment check
- Narrow allowed characters for fragment based on standard

src/validators/url.py

@@ -111,8 +111,8 @@ def _validate_optionals(path: str, query: str, fragment: str, strict_query: bool
     if query and parse_qs(query, strict_parsing=strict_query):
         optional_segments &= True
     if fragment:
-        fragment = fragment.lstrip("/") if fragment.startswith("/") else fragment
-        optional_segments &= all(char_to_avoid not in fragment for char_to_avoid in ("?",))
+        # See RFC3986 Section 3.5 Fragment for allowed characters
+        optional_segments &= bool(re.fullmatch(r"[0-9a-zA-Z?/:@\-._~!$&'()*+,;=]*", fragment))
     return optional_segments
 
 

tests/test_url.py

@@ -85,6 +85,8 @@
         "http://-.~_!$&'()*+,;=:%40:80%2f::::::@example.com",
         "https://exchange.jetswap.finance/#/swap",
         "https://www.foo.com/bar#/baz/test",
+        "https://matrix.to/#/!BSqRHgvCtIsGittkBG:talk.puri.sm/$1551464398"
+        + "853539kMJNP:matrix.org?via=talk.puri.sm&via=matrix.org&via=disroot.org",
         # when simple_host=True
         # "http://localhost",
         # "http://localhost:8000",