From 15984e89a96ee8e8ceb9c2148cac6896a85cd71e Mon Sep 17 00:00:00 2001
From: darkdragon-001 <darkdragon-001@users.noreply.github.com>
Date: Thu, 5 Oct 2023 03:07:51 +0200
Subject: [PATCH] fix: URL fragment check (#305)

- Fix erroneously forbidden characters in fragment check
- Narrow allowed characters for fragment based on standard
---
 src/validators/url.py | 4 ++--
 tests/test_url.py     | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/validators/url.py b/src/validators/url.py
index 00df3d63..613121d5 100644
--- a/src/validators/url.py
+++ b/src/validators/url.py
@@ -111,8 +111,8 @@ def _validate_optionals(path: str, query: str, fragment: str, strict_query: bool
     if query and parse_qs(query, strict_parsing=strict_query):
         optional_segments &= True
     if fragment:
-        fragment = fragment.lstrip("/") if fragment.startswith("/") else fragment
-        optional_segments &= all(char_to_avoid not in fragment for char_to_avoid in ("?",))
+        # See RFC3986 Section 3.5 Fragment for allowed characters
+        optional_segments &= bool(re.fullmatch(r"[0-9a-zA-Z?/:@\-._~!$&'()*+,;=]*", fragment))
     return optional_segments
 
 
diff --git a/tests/test_url.py b/tests/test_url.py
index 558d50ce..89ae6786 100644
--- a/tests/test_url.py
+++ b/tests/test_url.py
@@ -85,6 +85,8 @@
         "http://-.~_!$&'()*+,;=:%40:80%2f::::::@example.com",
         "https://exchange.jetswap.finance/#/swap",
         "https://www.foo.com/bar#/baz/test",
+        "https://matrix.to/#/!BSqRHgvCtIsGittkBG:talk.puri.sm/$1551464398"
+        + "853539kMJNP:matrix.org?via=talk.puri.sm&via=matrix.org&via=disroot.org",
         # when simple_host=True
         # "http://localhost",
         # "http://localhost:8000",