closure-library icon indicating copy to clipboard operation
closure-library copied to clipboard
verified publisher icon google

goog.Uri mangles form-urlencoded fragments

Open nicks opened this issue 9 years ago • 2 comments

Run the following code:

goog.Uri.parse('http://google.com/callback#state=x%3Dy').toString()

Expected result: http://google.com/callback#state=x%3Dy Actual result: http://google.com/callback#state=x=y

AFAIK, form-urlencoded fragments are a relatively recent thing. They come up in the OAuth spec, see https://tools.ietf.org/html/rfc6749#section-4.2.2, though there might be earlier instances. We found this bug because we were trying to use goog.Uri to parse Google OAuth login, and it totally broke.

I'm not sure what the best way to fix this is. We fixed it in our codebase by making fragment encoding and decoding inverses of each other (in goog.Uri, they are not exact inverses). You could also imagine some sort of FragmentData api analogous to QueryData.

nicks avatar Mar 01 '16 00:03 nicks

Seems like it should be fixable even without a FragmentData API, no? Then again, I haven't look at goog.Uri recently...

shicks avatar Mar 01 '16 02:03 shicks

Did you have a PR for this @nicks ?

concavelenz avatar Mar 15 '16 15:03 concavelenz