Corrupts passwords by inserting URI-encoded entities

[iam-TJ]

Using the password exported to CSV from another device I found the account would report "Bad username or Password" when trying to log-in. Initially I thought I was mistyping the password repeatedly. Eventually, I checked back with Firefox's "Show Passwords" and found that the exported password contains an ampersand, which the exported string had URI-encoded to %26. I had been typing the literal "%26".

I can understand why URI-encoding would be used for the double-quote character since it is the text-delimiter in CSV string fields.

I don't think it's the best approach to export URI-encoded without some indicator that the string is URI-encoded. I'd suggested prefixing any field that requires URI-encoding with "uri-encoded:".

During export it is easy to determine if the field requires URI-encoding simply by doing a strchr() style search for the double-quote. All other characters should not be encoded.

[sicking]

Per RFC 4180, escaping should only be done for quote (") characters, and not for %, <, >, or &. And escaping " is done by preceding it with another ". I.e. foo"bar should be written as "foo""bar".

Similarly, RFC 4180 says to use CRLF as line delimiter on all platforms.

https://tools.ietf.org/html/rfc4180