I wasn't around when this happened, but the history is all documented
and searchable, so it didn't take too long to find an answer. While
drupal_urlencode() was a wrapper for urlencode() in D5, it became a
wrapper for rawurlencode() in D6. Here's the commit:
http://drupalcode.org/project/drupal.git/commitdiff/f68f52540107a625f326448f413bc323e2138f31
And here's the related issue with discussion of why that change was made:
http://drupal.org/node/191116
--
Scott Reynen
Sliced Bread Labs
On 3/21/13 9:22 PM, Kevin O wrote:
Howdy folks. Due to some draconian anti-SQL injection filters in our
firewall software, I'm exploring how a few things work with url building
in Drupal 7 & 8. A particular firewall rule is rejecting %20and%20 which
unfortunately comes up fairly often with searches and webform, because
both urls for those get encoded in that way.
Now, this filtering is not of course Drupal's problem, but in tracking
this down, I found that basically, drupal_http_build_query and
drupal_encode_path use rawurlencode and thus change spaces to %20. The
space change and the lack of encoding the ~ seem to be the only
difference between rawurlencode and urlencode in PHP. (further info here
http://stackoverflow.com/questions/996139/php-urlencode-vs-rawurlencode )
Since drupal_http_build_query was introduced in D7 as was
drupal_encode_path they both seem to have always used rawlurlencode,
however the previous function for the latter was drupal_urlencode which
was a wrapper for urlencode.
Does anyone know why we switched to using rawurlencode instead of
urlencode? Does anyone have thoughts on switching back to urlencode? I
could just go file a feature request for this, but wanted to get a feel
for the history and reasons for this change first.
Thanks!
Cheers,
Kevin O'Brien
Drupal Developer
http://www.coderintherye.com
415-754-0112
