From cec0178e7679c3dcf37a541d27a107491b2ba1a1 Mon Sep 17 00:00:00 2001
From: Dominik <dl6er@dl6er.de>
Date: Wed, 25 Mar 2026 07:02:33 +0100
Subject: [PATCH] fix: encode dots in URL path segments to prevent browser
 resolution (#3308)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When editing a regex domain that is just "." (single dot), the browser
interprets it as a relative path component ("current directory") and
resolves it away before sending the request. The server receives an
empty string, causing "Invalid request: Specify item in URI".

This happens because encodeURIComponent(".") returns "." unchanged —
dots are unreserved characters per RFC 3986. The browser only normalizes
literal "." and ".." path segments, not percent-encoded "%2E".

Add utils.encodePathSegment() which wraps encodeURIComponent and also
encodes dots to %2E, then apply it in groups-domains.js (the reported
bug) and groups.js (which was also missing encoding entirely).

Fixes #3308

Signed-off-by: Dominik <dl6er@dl6er.de>
---
 scripts/js/groups-domains.js | 2 +-
 scripts/js/groups.js         | 2 +-
 scripts/js/utils.js          | 8 ++++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/scripts/js/groups-domains.js b/scripts/js/groups-domains.js
index 23adc919..4af046cb 100644
--- a/scripts/js/groups-domains.js
+++ b/scripts/js/groups-domains.js
@@ -611,7 +611,7 @@ function editDomain() {
       "/domains/" +
       newTypestr +
       "/" +
-      encodeURIComponent(domainDecoded),
+      utils.encodePathSegment(domainDecoded),
     method: "put",
     dataType: "json",
     processData: false,
diff --git a/scripts/js/groups.js b/scripts/js/groups.js
index fbad0364..4452466a 100644
--- a/scripts/js/groups.js
+++ b/scripts/js/groups.js
@@ -328,7 +328,7 @@ function editGroup() {
   utils.disableAll();
   utils.showAlert("info", "", "Editing group...", oldName);
   $.ajax({
-    url: document.body.dataset.apiurl + "/groups/" + oldName,
+    url: document.body.dataset.apiurl + "/groups/" + utils.encodePathSegment(oldName),
     method: "put",
     dataType: "json",
     processData: false,
diff --git a/scripts/js/utils.js b/scripts/js/utils.js
index 2ab9edcb..b6554629 100644
--- a/scripts/js/utils.js
+++ b/scripts/js/utils.js
@@ -518,6 +518,13 @@ function parseQueryString() {
   return Object.fromEntries(params.entries());
 }
 
+// Encode a string for use as a URL path segment. encodeURIComponent does not
+// encode dots, but browsers resolve "." and ".." as relative path components
+// before sending the request, breaking domains like "." or "..".
+function encodePathSegment(text) {
+  return encodeURIComponent(text).replaceAll(".", "%2E");
+}
+
 function hexEncode(text) {
   if (typeof text !== "string" || text.length === 0) return "";
 
@@ -726,6 +733,7 @@ globalThis.utils = (function () {
     changeTableButtonStates,
     getCSSval,
     parseQueryString,
+    encodePathSegment,
     hexEncode,
     hexDecode,
     listsAlert,