Clarify allowed characters in mxc:// URIs

The security considerations section already has this MUST, but people often don't look that far. Signed-off-by: Tulir Asokan <tulir@maunium.net>
2026-06-13 11:47:48 +02:00 · 2026-05-13 18:10:26 +03:00 · 2026-05-13 18:10:26 +03:00 · c5a4c0a1c8
parent 59b92ce9e6
commit c5a4c0a1c8
2 changed files with 6 additions and 1 deletions
--- a/changelogs/client_server/newsfragments/2377.clarification
+++ b/changelogs/client_server/newsfragments/2377.clarification
@ -0,0 +1 @@
+Clarify allowed characters in `mxc://` URIs.
--- a/content/client-server-api/modules/content_repo.md
+++ b/content/client-server-api/modules/content_repo.md
@ -40,6 +40,10 @@ mxc://<server-name>/<media-id>
 <media-id> : An opaque ID which identifies the content.
 ```

+The `media-id` segment MUST consist of only alphanumeric (`A-Za-z0-9`), `_` and
+`-` characters. See the [security considerations](#content-repo-security-considerations)
+section below for more details.
+
 #### Client behaviour {id="content-repo-client-behaviour"}

 Clients can access the content repository using the following endpoints.
@ -125,7 +129,7 @@ Servers MUST NOT upscale thumbnails under any circumstance. Servers MUST
 NOT return a smaller thumbnail than requested, unless the original
 content makes that impossible.

-#### Security considerations
+#### Security considerations {id="content-repo-security-considerations"}

 The HTTP GET endpoint does not require any authentication. Knowing the
 URL of the content is sufficient to retrieve the content, even if the