Howdy folks. Due to some draconian anti-SQL injection filters in our firewall software, I'm exploring how a few things work with url building in Drupal 7 & 8. A particular firewall rule is rejecting %20and%20 which unfortunately comes up fairly often with searches and webform, because both urls for those get encoded in that way.
Now, this filtering is not of course Drupal's problem, but in tracking this down, I found that basically, drupal_http_build_query and drupal_encode_path use rawurlencode and thus change spaces to %20. The space change and the lack of encoding the ~ seem to be the only difference between rawurlencode and urlencode in PHP. (further info here http://stackoverflow.com/questions/996139/php-urlencode-vs-rawurlencode ) Since drupal_http_build_query was introduced in D7 as was drupal_encode_path they both seem to have always used rawlurlencode, however the previous function for the latter was drupal_urlencode which was a wrapper for urlencode. Does anyone know why we switched to using rawurlencode instead of urlencode? Does anyone have thoughts on switching back to urlencode? I could just go file a feature request for this, but wanted to get a feel for the history and reasons for this change first. Thanks! Cheers, Kevin O'Brien Drupal Developer http://www.coderintherye.com 415-754-0112
