There are many online sites that accept reading input from remote locations. For example a site might try to extract all the text from a webpage, or show you the HTTP-headers a given server sends back in response to a request.
If you run such a site you must make sure you validate the schema you’re given – also remembering to do that if you’re sent any HTTP-redirects.
Really the issue here is a confusion between URL & URI.
The only time I ever communicated with Aaron Swartz was unfortunately after his death, because I didn’t make the connection. I randomly stumbled upon the html2text software he put together, which had an online demo containing a form for entering a location. I tried the obvious input:
The software was vulnerable, read the file, and showed it to me.
The site gives errors on all inputs now, so it cannot be used to demonstrate the
Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/92BFSddaKxU/If_your_code_accepts_URIs_as_input__.html