One thing we might want to do here: update the MDN docs so users know not expect URL components to be sanitized.
Bug 1863622 Comment 11 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
One thing we might want to do here: update the MDN docs so users know not expect URL components to be sanitized. I will defer to the security team to determine the impact of this issue on users and its severity.