From 684d080f9a08bc4e3962ccbaa6592902135ac3e8 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Thu, 14 May 2026 00:50:55 +0300 Subject: [PATCH] Clarify allowed characters in `mxc://` URIs (#2377) The security considerations section already has this MUST, but people often don't look that far. Signed-off-by: Tulir Asokan --- changelogs/client_server/newsfragments/2377.clarification | 1 + content/client-server-api/modules/content_repo.md | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 changelogs/client_server/newsfragments/2377.clarification diff --git a/changelogs/client_server/newsfragments/2377.clarification b/changelogs/client_server/newsfragments/2377.clarification new file mode 100644 index 00000000..5d7af863 --- /dev/null +++ b/changelogs/client_server/newsfragments/2377.clarification @@ -0,0 +1 @@ +Clarify allowed characters in `mxc://` URIs. diff --git a/content/client-server-api/modules/content_repo.md b/content/client-server-api/modules/content_repo.md index ad65ea42..7c11d908 100644 --- a/content/client-server-api/modules/content_repo.md +++ b/content/client-server-api/modules/content_repo.md @@ -40,6 +40,10 @@ mxc:/// : An opaque ID which identifies the content. ``` +The `media-id` segment MUST consist of only alphanumeric (`A-Za-z0-9`), `_` and +`-` characters. See the [security considerations](#content-repo-security-considerations) +section below for more details. + #### Client behaviour {id="content-repo-client-behaviour"} Clients can access the content repository using the following endpoints. @@ -125,7 +129,7 @@ Servers MUST NOT upscale thumbnails under any circumstance. Servers MUST NOT return a smaller thumbnail than requested, unless the original content makes that impossible. -#### Security considerations +#### Security considerations {id="content-repo-security-considerations"} The HTTP GET endpoint does not require any authentication. Knowing the URL of the content is sufficient to retrieve the content, even if the