swagger-ui
swagger-ui copied to clipboard
swagger-api
Separating comma is not URL-encoded in array query parameter with `style: form`, `explode: false` and `allowReserved: false`
Q&A (please complete the following information)
- OS: macOS 14.0 (build 23A344)
- Browser: Safari Version 17.0 (19616.1.27.211.1)
- Method of installation: static file server
- Swagger-UI version: 5.9.0
- Swagger/OpenAPI version: OpenAPI 3.0.3
Content & configuration
Example Swagger/OpenAPI definition:
openapi: 3.0.3
info:
title: Example
version: "0"
servers:
- url: https://example.com/api
paths:
/list:
get:
parameters:
- name: elements
in: query
style: form
explode: false
allowReserved: false
schema:
type: array
items:
type: string
responses:
'200':
description: Successful operation
To reproduce...
Steps to reproduce the behavior:
- Open Swagger UI with the configuration provided
- Open endpoint and click “Try it out”
- Add multiple strings to array
- Click “Execute”
- Observe that in the request URL sent to the (example) server array strings are joined using unencoded
,, in violation ofallowReserved: falseconfiguration option
Expected behavior
The strings are separated by %2C instead of ,.
Screenshots
After thorough investigation we've determined that status quo is correct. We've created a PR that solves the potential issue described in this GitHub issue, but during the code review we've uncovered that the change would introduce ambiguity into encoding and the data semantics will be lost when utilized.
parameter value1: "data,data"
parameter value2: "data,data"
Before the PR
-------------------
allowReserved=false: param=data%2Cdata,data%2Cdata
allowReserved=true: param=data,data,data,data
After the PR
----------------
allowReserved=false: param=data%2Cdata%2Cdata%2Cdata
allowReserved=true: param=data,data,data,data
After scenario proves that it is not possible to construct original parameter value again as the separator is now ambiguous.
Please reopen this issue if you disagree with our reasoning.