golang · VenkatKwest · Apr 8, 2026
diff --git a/doc/next/6-stdlib/99-minor/net/url/78569.md b/doc/next/6-stdlib/99-minor/net/url/78569.md
@@ -0,0 +1,3 @@
+[URL.Hostname] and [URL.Port] now follow RFC 6874 more strictly by
+forbidding unescaped non-unreserved characters in IPv6 zone identifiers.
+[#78569](/issue/78569)
diff --git a/src/net/url/encoding_table.go b/src/net/url/encoding_table.go
diff --git a/src/net/url/gen_encoding_table.go b/src/net/url/gen_encoding_table.go
@@ -156,7 +156,7 @@ func shouldEscape(c byte, mode encoding) bool {
 		return false
 	}
 
-	if mode == encodeHost || mode == encodeZone {
+	if mode == encodeHost {
 		// §3.2.2 Host allows
 		//	sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="
 		// as part of reg-name.
@@ -172,6 +172,21 @@ func shouldEscape(c byte, mode encoding) bool {
 		}
 	}
 
+	if mode == encodeZone {
+		// RFC 6874 §2 defines:
+		//   ZoneID = 1*( unreserved / pct-encoded )
+		//   unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
+		// ALPHA and DIGIT are already handled above.
+		// All other characters — including sub-delims like "!" and
+		// gen-delims like "]" — must be percent-encoded, not raw.
+		switch c {
+		case '-', '.', '_', '~':
+			return false
+		}
+		return true
+	}
+
+
 	switch c {
 	case '-', '_', '.', '~': // §2.3 Unreserved characters (mark)
 		return false

diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
@@ -751,6 +751,12 @@ var parseRequestURLTests = []struct {
 	{"http://[fe80::%31]:8080/", false},
 	{"http://[fe80::%31%25en0]/", false},
 	{"http://[fe80::%31%25en0]:8080/", false},
+	{"http://[::1%25]evil.com]", false},
+	{"http://[::1%25]evil.com]:80", false},
+	{"http://[fe80::1%25!]/", false},
+	{"http://[fe80::1%25$]/", false},
+	{"http://[fe80::1%25&]/", false},
+
 
 	// These two cases are valid as textual representations as
 	// described in RFC 4007, but are not valid as address