Closed ThomasTJdev closed 1 year ago
What does Sinatra do in this case?
With Sinatra it differs whether it is pure URL parameter vs Javascript value with POST-request. On GET-request it parses like decodeUrl()
.
Sinatra backend
require 'sinatra'
post '/' do
author = params['author']
msg = params["msg"]
puts author
puts msg
author
end
Javascript frontend
# B1
fetch("/?author=Message with plus+++signs", {
method: "POST",
body: new URLSearchParams( { msg: "Message with plus+++signs" })
})
Output on backend
The above Javascript (B1) uses inline URL parameters and formatted body. The server echo
(puts) these values:
127.0.0.1 - - [23/May/2023:16:02:36 +0200] "POST /?author=Message%20with%20plus+++signs HTTP/1.1" 200 25 0.0034
Message with plus signs <== This is the @author
Message with plus+++signs <== This is the @msg
I'm no Ruby man.. I spent some time going through the code, but with no direct solution. is_frozen
, HEADER_PARAMS
..
With Sinatra it differs whether it is pure URL parameter vs Javascript value with POST-request
Sounds like that is what we should do then :)
With Sinatra it differs whether it is pure URL parameter vs Javascript value with POST-request
Sounds like that is what we should do then :)
Hehe, got you ;) .
So, in Jester it all boils down to that non-URL params is already decoded within parseUrlQuery()
. So when also decoding within the @
-template we double decode - and that's some mess.
I have tried three approaches. But both 1 and 2 have breaking changes...
Table[string, string]
we now use var Table[string, tuple[value: string, frozen: bool]]
. By doing this we identify the frozen parameters when using @
. BUT now we will break code with:
for k, v in request.params:
# => Currently just a string
# => New: We now have tuple[string, bool]
https://github.com/dom96/jester/compare/master...ThomasTJdev:jester:decodeUrlParms
@
since nothing is decoded as default. BUT this introduces a breaking change for code with:
for k, v in request.params:
# => `v` is not decoded, so users have to decode the data
https://github.com/dom96/jester/compare/master...ThomasTJdev:jester:decodeUrlParms2
EDIT This is breaking change for users accessing the raw parameters. Example:
Current
var params: string
for k, v in c.req.params:
if params != "":
params.add("&")
params.add(k & "=" & v)
New
var params: string
for k, v in c.req.params:
if params != "":
params.add("&")
params.add(k & "=" & encodeUrl(v))
https://github.com/dom96/jester/compare/master...ThomasTJdev:jester:decodeUrlParms3
Wow, very thorough. Thank you. I think the "Third try" is the best, but I don't have strong feelings to be honest :)
I care a lot about your library here :) ! Third option is added as a PR.
Request to roll back commit a03b5be0b72f1a686b6ca594c145cee665e6db7b which implemented PR #171 which fixed Issue #159.
Scope
The commit changed the behaviour the template
@
used to access URL parameters and is noted as aBreaking change
. The change auto-decodes the URL parameter usingdecodeUrl()
regardless of the parameter-type.Exact change: https://github.com/dom96/jester/pull/171/files#diff-6a259fda1df185e57d46cf13c94d178eb6be365815acdf3dc8a132ab58a63f61L640-R640
Problem
When using Javascript to perform POST-request the data will/could be wrongly decoded.
Basic examples, but imagine this being Base64, JSON or other encoded data:
When parsing the the above POST-request with Jester the parameters will be returned after the
decodeUrl()
and therefor stripped for the+
-signs, which in this case is required.Actual
My message with plus signs
Expected result
My message with plus+++signs
Suggestion
Roll this commit back and let the URL param be parsed by the end user. In some cases they need to be parsed as traditional URL parameter (
example.com?project=hello
) or as Form data provided by a Javascript function.If accepted then I'll be happy to provide the PR.