karenetheridge
commented
1 year ago This is very difficult to do because we don't usually have access to the raw request -- we get it as a Mojo::Message::Request which has already been parsed and the query parameters normalized.
Also, Mojolicious serializes ` to+in query parameters rather than to%20`, which is common but still incorrect per RFC3986: https://stackoverflow.com/questions/2678551/when-should-space-be-encoded-to-plus-or-20
And also, the specified serialization formats all violate the RFC as well: https://github.com/OAI/OpenAPI-Specification/issues/1942#issuecomment-1732878538
allowReserved defaults to false, but we aren't checking that unencoded characters are appearing in the query parameters section of the request URI -- mojo just happily url-unescapes what it sees, without checking if some things already were un-escaped.