Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-15860

Reactive GET request query-params are not decoded correctly. + sign must be space.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 5.0 RC3
    • Fix Version/s: 5.0 RC4
    • Component/s: Reactive, Web
    • Labels:
      None
    • Last commented by a User:
      false

      Activity

      Hide
      rstoya05-aop Rossen Stoyanchev added a comment -

      StringUtils.uriDecode() works as expected as per RFC 3986. On the other hand URLDecoder.decode(), despite its name, is for HTML form decoding (as per its Javadoc) and the decoding of '+' to space is related to the treatment of form data.

      What we could do is use URLDecoder.decode() when decoding query parameters on GET requests with Content-Type=application/x-www-form-urlencoded and keep the current behavior otherwise. Since I don't have more specific context, would that meet your case for you?

      Arjen Poutsma what do you think?

      Show
      rstoya05-aop Rossen Stoyanchev added a comment - StringUtils.uriDecode() works as expected as per RFC 3986 . On the other hand URLDecoder.decode(), despite its name, is for HTML form decoding (as per its Javadoc) and the decoding of '+' to space is related to the treatment of form data. What we could do is use URLDecoder.decode() when decoding query parameters on GET requests with Content-Type=application/x-www-form-urlencoded and keep the current behavior otherwise. Since I don't have more specific context, would that meet your case for you? Arjen Poutsma what do you think?
      Hide
      jean.ho Jean added a comment - - edited

      When browser (Chrome, Safari tested) submit <form method="GET">, spaces are encoded as '+'. Since there's no request body, Content-Type header is not set.

      Show
      jean.ho Jean added a comment - - edited When browser (Chrome, Safari tested) submit <form method="GET">, spaces are encoded as '+'. Since there's no request body, Content-Type header is not set.
      Hide
      jean.ho Jean added a comment - - edited

      I guess this will help.

      https://www.w3.org/TR/html5/forms.html#form-submission-algorithm

      The query string is part of URL.

      Show
      jean.ho Jean added a comment - - edited I guess this will help. https://www.w3.org/TR/html5/forms.html#form-submission-algorithm The query string is part of URL.
      Show
      jean.ho Jean added a comment - https://en.wikipedia.org/wiki/Percent-encoding#The_.60application.2Fx-www-form-urlencoded.60_type https://tools.ietf.org/html/rfc1630 – page 6.
      Hide
      rstoya05-aop Rossen Stoyanchev added a comment -

      I don't think RFC 1630 is relevant any more. It does not have have the usual "Updated by" forward links but RFC 3986 (the current spec) refers to it in its introduction.

      So to summarize, based on the HTML spec, browsers submit <form method="GET"> with form data in the query string. Since there is no way for the server to differentiate between a form GET (with form-encoded parameters in the query) from any other GET, we have to always use URLDecoder to decode query params as form encoded data.

      Show
      rstoya05-aop Rossen Stoyanchev added a comment - I don't think RFC 1630 is relevant any more. It does not have have the usual "Updated by" forward links but RFC 3986 (the current spec) refers to it in its introduction. So to summarize, based on the HTML spec, browsers submit <form method="GET"> with form data in the query string. Since there is no way for the server to differentiate between a form GET (with form-encoded parameters in the query) from any other GET, we have to always use URLDecoder to decode query params as form encoded data.
      Hide
      rstoya05-aop Rossen Stoyanchev added a comment -

      I have switched AbstractServerHttpRequest#initQueryParams to use URLDecoder.

      Show
      rstoya05-aop Rossen Stoyanchev added a comment - I have switched AbstractServerHttpRequest#initQueryParams to use URLDecoder.

        People

        • Assignee:
          rstoya05-aop Rossen Stoyanchev
          Reporter:
          jean.ho Jean
          Last updater:
          St├ęphane Nicoll
        • Votes:
          0 Vote for this issue
          Watchers:
          2 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved:
            Days since last comment:
            5 weeks, 2 days ago