search

leafo / lapis

A web framework for Lua and OpenResty written in MoonScript
http://leafo.net/lapis/
MIT License
3.14k stars 247 forks source link

Parameter parser doesn't parse `+` correctly. #790

Closed adamharrison closed 3 months ago

adamharrison commented 4 months ago

These days, URLSearchParams.toString() can be used to create query parameter strings client side.

This method encodes space (`) as+, rather than%20`.

Lapis currently uses socket.url.unescape to unescape the query string; this function in luasocket explicitly mentions that this is for hexadecimal encoding only, so the + isn't unescaped.

Given that this seems to be the default behavior for the browser, and is a part of the spec (though I think it is optional); would it make sense to replace "+" with "%20" before we call unescape?

(And let me know if you'd like me to open a PR).

leafo commented 4 months ago

Unfortunately there are different standards for URL encoding. For consistency reasons I will not be changing the default one that comes with Lapis. Since it's been in use for so long, changing it may break utilities that depend on the output of it. (eg. if you depend on a certain version of URL encoding to generate signatures for signed content)

adamharrison commented 3 months ago

That's fair, I suppose.