<div>Howdy folks. Due to some draconian anti-SQL injection filters in our firewall software, I'm exploring how a few things work with url building in Drupal 7 & 8. A particular firewall rule is rejecting %20and%20 which unfortunately comes up fairly often with searches and webform, because both urls for those get encoded in that way. </div>
<div><br></div><div>Now, this filtering is not of course Drupal's problem, but in tracking this down, I found that basically, drupal_http_build_query and drupal_encode_path use rawurlencode and thus change spaces to %20. The space change and the lack of encoding the ~ seem to be the only difference between rawurlencode and urlencode in PHP. (further info here <a href="http://stackoverflow.com/questions/996139/php-urlencode-vs-rawurlencode">http://stackoverflow.com/questions/996139/php-urlencode-vs-rawurlencode</a> )</div>
<div><br></div><div>Since drupal_http_build_query was introduced in D7 as was drupal_encode_path they both seem to have always used rawlurlencode, however the previous function for the latter was drupal_urlencode which was a wrapper for urlencode.</div>
<div><br></div><div>Does anyone know why we switched to using rawurlencode instead of urlencode? Does anyone have thoughts on switching back to urlencode? I could just go file a feature request for this, but wanted to get a feel for the history and reasons for this change first.</div>
<div><br></div><div>Thanks!</div><div><br></div>Cheers,<br clear="all"><div>Kevin O'Brien<div>Drupal Developer</div><div><a href="http://www.coderintherye.com" target="_blank">http://www.coderintherye.com</a></div><div>
415-754-0112</div></div>