I'm not sure it this is intentional or if this is a bug. RFC 3986
(http://tools.ietf.org/rfc/rfc3986.txt) implies that [ and ] are
reserved characters in the query part of URIs.
URI producing applications should percent-encode data octets that
correspond to characters in the reserved set unless these characters
are specifically allowed by the URI scheme to represent data in that
component.
The HTTP RFC (RFC 2616) references the older URI RFC (RFC 2396:
http://www.ietf.org/rfc/rfc2396.txt), which doesn't state that [ and ]
are reserved characters in the query. But the HTTP RFC doesn't
specifically allow them either. As it predates RFC 3986, I'm not sure
what is considered the best practice.
Obviously Rails is escaping some characters and not others, and it
isn't using Rack::Utils.escape to do the escaping.
Obviously Rails is escaping some characters and not others, and it
isn't using Rack::Utils.escape to do the escaping.
I don't believe this was done deliberately. A quick glance over the
git history didn't point anything obvious out. Do you want to take a
go at rationalising the escaping code a bit?
Prehaps josh can enlighten us as to the reason why the change was
made, since the commit message does not do so.
Nor does the message here:
Those commits don't really have any justification, so unless josh
pipes up I'd be tempted to reverse them.
However to play devil's advocate, the spec isn't exactly clear that
they *should* be escaped, and nothing seems to break with them *not*
being escaped. What makes you want them that way? Is it breaking
your app some how?
Those commits don't really have any justification, so unless josh
pipes up I'd be tempted to reverse them.
However to play devil's advocate, the spec isn't exactly clear that
they *should* be escaped, and nothing seems to break with them *not*
being escaped. What makes you want them that way?
As RFC 3986 is more recent and implies they should be escaped, and
rack and cgi both escape them, that seems like the more logical
choice. The current code specifically reverses the escaping done by
cgi, so it's actually doing more work. I can't see a benefit for
escaping the URI with rack and then unescaping just the brackets with
a gsub, other than the unescaped URI looks nicer. If a nicer look is
more important, why unescape just the brackets, why not unescape other
characters where it wouldn't break things?
Is it breaking your app some how?
It breaks some test code, that's all. Test code that works on 5 other
web frameworks and previous versions of Rails.
It's not a big deal either way, but I wanted to know rails-core
opinion before I decide whether to update my test code.
It breaks some test code, that's all. Test code that works on 5 other
web frameworks and previous versions of Rails.
It's not a big deal either way, but I wanted to know rails-core
opinion before I decide whether to update my test code.
I'll see if I can get something a bit more definitive from josh as to
why this was changed. Seems a toss up either way, but the current
method is certainly a bit messy and at the very least we shouldn't be
escaping / unescaping
It's been a month since this was last discussed, and there doesn't
appear to have been any related changes made. Should I add a issue to
lighthouse so that it's easier to keep track of this?
