In the UriComponentsBuilder::fromUriString, we use regular expressions to parse a given String into the various URI components (scheme, host, path, etc.). Regular expressions, by their very nature, are limited in what they can and cannot track. Because of these limitations, URL parsing has been a significant source of security reports recently. Additionally, the expressions have grown to be quite complicated over the years.
The Living URL standard provides a robust algorithm for parsing URLs. We should introduce a URL parser based on that algorithm, instead of using regular expressions.
Comment From: poutsma
Due to security considerations, this is an issue that we'd like to handle ourselves, and as such it is not open for external contributions.