Karel

@theseion, I'm afraid the solution you suggested won't work. The problem is finding any charset parameters that have illegal values, not blocking requests that have more than one charset parameter...

@theseion I understand. I've spent a decent amount of time on the problem and so far I haven't seen any alternatives. In theory, my approach is nearly ideal, and the...

@theseion, that's uhh quite the regex. This solution goes far beyond the scope of finding invalid charset values, which makes it more prone to bypasses. This [regex101](https://regex101.com/r/JZYeyd/1) is one such...

@theseion, Sorry for the delayed response. This is a complicated discussion and I couldn't find the right moment for me to get my story straight. > I don't want to...

@lifeforms, > What do you think about Max' proposal of improving the script and using it? If we were to use @theseion's solution, I would recommend at least finding out...

@dune73, > @karelorigin contributed a proof-of-concept script that comes up with a speedy regular expression that does away with the need for look-around. The script needs work, though. Correct! >...

The current regex within this PR introduces bypasses as the newly added character set does not respect input boundaries (e.g. beginning of a string). The tests do not cover this...

> I've added the `i` flag `(##!+ i)` to ignore case while matching. Yes, so case-insensitivity for a case-sensitive language? 😅 I also noticed that all the whitespaces are removed...

Could it be a good idea to change the error message as it's (almost) never applicable and thus not accurate?

Hey @mhmdiaa! Yes, using a different root domain as a baseline can lead to better results, which is what I did in my second run :) Interesting tactic! I've been...