URLFormEncoder does not escape all reserved characters

Question

URLFormEncoder does not escape all reserved characters

Opened this issue a month ago · 3 comments

davedelong commented a month ago

Describe the issue

URLFormEncoder should be encoding characters like $, but does not

Vapor version

4.92.5

Operating system and version

macOS 14.3

Swift version

5.9.0

Steps to reproduce

let form = ["hello": "world$"]
let encoder = try ContentConfiguration.global.requireEncoder(for: .urlEncodedForm)
var buffer = ByteBuffer()
var headers = HTTPHeaders()
try encoder.encode(form, to: &buffer, headers: &headers)

print(String(bytes: ByteBufferView(buffer), encoding: .utf8)!)

Outcome

This should print hello=world%24. Instead, it prints hello=world$.

Additional notes

According to Wikipedia, the reserved characters include $ and should be percent-escaped.

Answer 1 · 2024-04-15T00:55:51.000Z

I believe that this CharacterSet is not excluding all the characters it should be.

Answer 2 · 2024-04-26T14:53:14.000Z

Ok me and @gwynne did some diving into this and it's definitely a bug - I have no idea how it's been undiscovered this long. There doesn't appear to be a good actual RFC spec to refer to, but the best we've found is https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set

The application/x-www-form-urlencoded percent-encode set contains all code points, except the ASCII alphanumeric, U+002A (*), U+002D (-), U+002E (.), and U+005F (_).

Answer 3 · 2024-04-26T14:53:30.000Z

Will schedule a fix for this asap