What can happen if i use a loose URL chars restriction?

[eluser]plainas[/eluser]
Lets say I allow every char and escape them whenever i put userdata in an SQL query, etc. What can possibly happen?

Can anybody give me an example to illustrate this?

[eluser]Rick Jolly[/eluser]
You just need to be concerned if you are echoing anything from your url. For example, you wouldn't want to print this to the browser: "controller/method/<scribt>alert('may I steal your cookie?')</scribt>". As long as you run the uri or it's segments through htmlspecialchars(), then you won't have a problem.

Kohana has actually done away with the allowed url characters restriction.

[eluser]xwero[/eluser]
[quote author="Rick Jolly" date="1219202814"]Kohana has actually done away with the allowed url characters restriction.[/quote]
in CI you can do

Code:

$config['permitted_uri_chars'] = '';

[eluser]plainas[/eluser]
So lets say I want to allow users to create meaningful URLs, is this the correct way to output them?

Code:

$urlchunk = "/some?crazy!stuff;put;here\$byTheuser";
$urlchunk = urlencode($urlchunk); # Is this necessary?
echo htmlspecialchars(base_url().$urlchunk);

This is quite confusing, I what could happen if I would skip urlenconde call?

Just out of curiosity, if I allow the forward slash, i wonder if it will be picked as a parameter or if it will still work as the separator.