Change of query string encoding behaviour in flask 3.0

Question

spanezz opened this issue 7 months ago · 1 comments

Flask until 2.0 decoded %-encoded entities from query strings, while it seems that Flask 3.0 does not.

Given this print_args.py:

from flask import Flask, request

app = Flask(__name__)


@app.route("/")
def hello_world():
    return request.args.get("test")

Ok Flask 2:

$ flask --version
Python 3.11.2
Flask 2.2.2
Werkzeug 2.2.2
$ flask --app print_args run
...
curl http://127.0.0.1:5000?test=%A0+++a
�   a

On Flask 3:

$ flask --version
Python 3.11.9
Flask 3.0.3
Werkzeug 3.0.2
$ flask --app print_args run
...
curl http://127.0.0.1:5000?test=%A0+++
%A0   a

While I understand %A0 is not a valid unicode sequence, this is a change of behaviour may be worth documenting.

Answer 1 · 2024-05-07T13:31:48.000Z

This is documented in Werkzeug's change log, where the change happened. https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-2-3-0

Percent encoding in URLs must always represent UTF-8 bytes. Invalid bytes are left percent encoded rather than replaced.

See pallets/werkzeug#2602 for the issue discussing the change and pallets/werkzeug#2641 for the PR with more discssion.