Merge 1659acfc45 into 21109b4d5b

changelogs/client_server/newsfragments/2217.clarification

@@ -1 +0,0 @@
-The `server-name` segment of MXC URIs is sanitised differently from the `media-id` segment.

content/client-server-api/modules/content_repo.md

@@ -134,14 +134,9 @@ entity isn't in the room.
 `mxc://` URIs are vulnerable to directory traversal attacks such as
 `mxc://127.0.0.1/../../../some_service/etc/passwd`. This would cause the
 target homeserver to try to access and return this file. As such,
-homeservers MUST sanitise `mxc://` URIs by:
+homeservers MUST sanitise `mxc://` URIs by allowing only alphanumeric
-
+(`A-Za-z0-9`), `_` and `-` characters in the `server-name` and
--   restricting the `server-name` segment to valid
+`media-id` values. This set of whitelisted characters allows URL-safe
-    [server names](/appendices/#server-name)
--   allowing only alphanumeric (`A-Za-z0-9`), `_` and `-` characters in
-    the `media-id` segment
-
-The resulting set of whitelisted characters allows URL-safe
 base64 encodings specified in RFC 4648. Applying this character
 whitelist is preferable to blacklisting `.` and `/` as there are
 techniques around blacklisted characters (percent-encoded characters,