What is the semicolon reserved for in URLs?

Question

The RFC 3986 URI: Generic Syntax spec lists a semicolon as a reserved (sub-delim) character:

reserved    = gen-delims / sub-delims

gen-delims  = \":\" / \"/         


        

Answer 1

I found the following use-cases:

Its the final character of a HTML entity:
https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references

To use one of these character entity references in an HTML or XML document, enter an ampersand followed by the entity name and a semicolon, e.g., & for the ampersand ("&").

Apache Tomcat 7 (or newer versions?!) us it as path parameter:
https://superevr.com/blog/2011/three-semicolon-vulnerabilities

Apache Tomcat is one example of a web server that supports "Path Parameters". A path parameter is extra content after a file name, separated by a semicolon. Any arbitrary content after a semicolon does not affect the landing page of a web browser. This means that http://example.com/index.jsp;derp will still return index.jsp, and not some error page.

URI scheme splits by it the MIME and data:
https://en.wikipedia.org/wiki/Data_URI_scheme

It can contain an optional character set parameter, separated from the preceding part by a semicolon (;) .

And there was a bug in IIS5 and IIS6 to bypass file upload restrictions:
https://www.owasp.org/index.php/Unrestricted_File_Upload

Blacklisting File Extensions This protection might be bypassed by: ... by adding a semi-colon character after the forbidden extension and before the permitted one (e.g. "file.asp;.jpg")

Conclusion:
Do not use semicolons in URLs or they could accidentally produce a HTML entity or URI scheme.