How I stumbled upon this: I have a barcode scan callback. It does some processing on barcode content, and then uses WebView Navigate to navigate the UI. params is a hash, which includes some decoded data as well as the original raw scan data.
In some cases, the raw data might contain some sequences that LOOK LIKE uri-encoded data. For example, this specific sequence: %96url_for() properly encodes this as %2596 and then after decoding yields the original %96.
The code above corrupts the query string by decoding what APPEARS to be uri-encoding but which is not. (For example, the + above will be turned into a space, and %96 will be turned into an invalid UTF-8 character and will be substituted with the substitution character.
def scan_received
Rho::Barcode.stop();
if @params["status"] == "ok"
scan = Scan.new
t = Time.now
scan.client_created_at = t
scan.client_updated_at = t
scan.was_preloaded = false
scan.raw_data = @params['barcode']
params = scan.decode
WebView.navigate url_for(
action: "new_#{scan.kind}",
query: params,
)
else
WebView.navigate Rho::Application.startURI
end
end
See: https://github.com/rhomobile/rhodes/issues/1082
In
RhodesApp.cpp
,callback_redirect_to
I think should not decode the URL - or, at least should not decode any included query string.How I stumbled upon this: I have a barcode scan callback. It does some processing on barcode content, and then uses
WebView Navigate
to navigate the UI.params
is a hash, which includes some decoded data as well as the original raw scan data.In some cases, the raw data might contain some sequences that LOOK LIKE uri-encoded data. For example, this specific sequence:
%96
url_for()
properly encodes this as%2596
and then after decoding yields the original%96
.This gets internally redirected, like:
The code above corrupts the query string by decoding what APPEARS to be uri-encoding but which is not. (For example, the
+
above will be turned into a space, and%96
will be turned into an invalid UTF-8 character and will be substituted with the substitution character.I fixed locally by changing the last line:
But not sure if this is really a correct fix.
The code winds up here:
This seems perhaps vaguely relevant: https://github.com/curl/curl/issues/473