URI params are not escaped correctly [rt.cpan.org #106237]

Question

URI params are not escaped correctly [rt.cpan.org #106237]

oalders opened this issue 7 years ago · comments

Olaf Alders commented 7 years ago

Migrated from rt.cpan.org#106237 (status was 'open')

Requestors:

DCPETROV@cpan.org

From dcpetrov@cpan.org on 2015-08-03 20:56:42:

I have simple script which passes something like:

#!/usr/bin/env perl
use strict;
use warnings;
use HTTP::Request::Common qw/GET POST DELETE/;
use Data::Dumper;

my $req = GET 'http://localhost/events?search={"basetag":{"-like":"%devAAAAAAAA%"}}';

warn Dumper( $req->uri->query_form );

Result:
$VAR1 = 'search';
$VAR2 = '{"basetag":{"-like":"ï¿½vAAAAAAAA%"}}';

It seems like the params are not escaped correctly.

From srezic@cpan.org on 2015-08-04 20:56:45:

On 2015-08-03 16:56:42, DCPETROV wrote:
> I have simple script which passes something like:
> 
> #!/usr/bin/env perl
> use strict;
> use warnings;
> use HTTP::Request::Common qw/GET POST DELETE/;
> use Data::Dumper;
> 
> my $req = GET 'http://localhost/events?search={"basetag":{"-
> like":"%devAAAAAAAA%"}}';
> 
> warn Dumper( $req->uri->query_form );
> 
> Result:
> $VAR1 = 'search';
> $VAR2 = '{"basetag":{"-like":"ï¿½vAAAAAAAA%"}}';
> 
> It seems like the params are not escaped correctly.

I think it's not the job of HTTP::* to escape something here. After all, the user maybe wanted to use the "%de" escape deliberately.

If you want to escape, then you should use a module like URI::QueryParam:

my $u = URI->new('http://localhost/events');
$u->query_param('search', '{"basetag":{"-like":"%devAAAAAAAA%"}}');
warn Dumper($u->query_form);

Result
$VAR1 = 'search';
$VAR2 = '{"basetag":{"-like":"%devAAAAAAAA%"}}';

Theo van Hoesel · Answer 1 · Sun Mar 11 2018 01:31:59 GMT+0800 (China Standard Time)

i think Slaven is right here and that this ticket can de closed

Olaf Alders · Answer 2 · Sun Mar 11 2018 02:31:47 GMT+0800 (China Standard Time)

Thanks @eserte and @vanHoesel!