[
https://issues.apache.org/jira/browse/WHIMSY-344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sebb updated WHIMSY-344:
------------------------
Description:
URI.[un]escape have been deprecated, and need to be replaced in Whimsy code.
The suggested replacements are CGI.[un]escape and
URI.[un]encode_www_form_component
AFAICT these only work correctly for form parameters.
Space is escaped to '\+', and '\+' is unescaped to space.
This is incorrect for the path component, which uses %-encoding only.
Note that the path component allows '+' without encoding.
This clashes with the use of '+' to represent space when encoding form
parameters.
It looks like ERB::Util.url_encode may be OK for encoding path segments.
It encodes more characters than necessary, but at least it only uses %-encoding.
CGI.unescape will correctly decode a path encoded with ERB::Util.url_encode.
However if a path component was encoded without %-encoding '+', CGI.unescape
will incorrectly decode the '+' to space.
URI.unescape uses URI::RFC2396_Parser under the hood, and that has not been
deprecated.
So a possible replacement is URI::RFC2396_Parser.new.unescape(path)
was:
URI.[un]escape have been deprecated, and need to be replaced in Whimsy code.
The suggested replacements are CGI.[un]escape and
URI.[un]encode_www_form_component
AFAICT these only work correctly for form parameters.
Space is escaped to '+', and '+' is unescaped to space.
This is incorrect for the path component, which uses %-encoding only.
Note that the path component allows '+' without encoding.
This clashes with the use of '+' to represent space when encoding form
parameters.
It looks like ERB::Util.url_encode may be OK for encoding path segments.
It encodes more characters than necessary, but at least it only uses %-encoding.
CGI.unescape will correctly decode a path encoded with ERB::Util.url_encode.
However if a path component was encoded without %-encoding '+', CGI.unescape
will incorrectly decode the '+' to space.
URI.unescape uses URI::RFC2396_Parser under the hood, and that has not been
deprecated.
So a possible replacement is URI::RFC2396_Parser.new.unescape(path)
> Issues with URI.[un]escape
> --------------------------
>
> Key: WHIMSY-344
> URL: https://issues.apache.org/jira/browse/WHIMSY-344
> Project: Whimsy
> Issue Type: Bug
> Reporter: Sebb
> Priority: Major
>
> URI.[un]escape have been deprecated, and need to be replaced in Whimsy code.
> The suggested replacements are CGI.[un]escape and
> URI.[un]encode_www_form_component
> AFAICT these only work correctly for form parameters.
> Space is escaped to '\+', and '\+' is unescaped to space.
> This is incorrect for the path component, which uses %-encoding only.
> Note that the path component allows '+' without encoding.
> This clashes with the use of '+' to represent space when encoding form
> parameters.
> It looks like ERB::Util.url_encode may be OK for encoding path segments.
> It encodes more characters than necessary, but at least it only uses
> %-encoding.
> CGI.unescape will correctly decode a path encoded with ERB::Util.url_encode.
> However if a path component was encoded without %-encoding '+', CGI.unescape
> will incorrectly decode the '+' to space.
> URI.unescape uses URI::RFC2396_Parser under the hood, and that has not been
> deprecated.
> So a possible replacement is URI::RFC2396_Parser.new.unescape(path)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
