Thanks Scott, I did a fair bit of Googling and searching but managed to not type the right query to help me find that issue.<div><br clear="all"><div>Kevin O'Brien<div>Drupal Developer</div><div><a href="http://www.coderintherye.com" target="_blank">http://www.coderintherye.com</a></div>
<div>415-754-0112</div></div>
<br><br><div class="gmail_quote">On Fri, Mar 22, 2013 at 5:00 AM, <span dir="ltr"><<a href="mailto:development-request@drupal.org" target="_blank">development-request@drupal.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Send development mailing list submissions to<br>
<a href="mailto:development@drupal.org">development@drupal.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.drupal.org/mailman/listinfo/development" target="_blank">http://lists.drupal.org/mailman/listinfo/development</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:development-request@drupal.org">development-request@drupal.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:development-owner@drupal.org">development-owner@drupal.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of development digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. rawurlencode vs. urlencode in drupal_http_build_query and<br>
drupal_encode_path (Kevin O)<br>
2. Re: rawurlencode vs. urlencode in drupal_http_build_query and<br>
drupal_encode_path (Scott Reynen)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 21 Mar 2013 20:22:28 -0700<br>
From: Kevin O <<a href="mailto:nowarninglabel@gmail.com">nowarninglabel@gmail.com</a>><br>
Subject: [development] rawurlencode vs. urlencode in<br>
drupal_http_build_query and drupal_encode_path<br>
To: <a href="mailto:development@drupal.org">development@drupal.org</a><br>
Message-ID:<br>
<CAKHOBFM=NLv+7QWEQ01L208TaB7YBt=<a href="mailto:2QpYvEBp0n9iP3hjPEA@mail.gmail.com">2QpYvEBp0n9iP3hjPEA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Howdy folks. Due to some draconian anti-SQL injection filters in our<br>
firewall software, I'm exploring how a few things work with url building in<br>
Drupal 7 & 8. A particular firewall rule is rejecting %20and%20 which<br>
unfortunately comes up fairly often with searches and webform, because both<br>
urls for those get encoded in that way.<br>
<br>
Now, this filtering is not of course Drupal's problem, but in tracking this<br>
down, I found that basically, drupal_http_build_query and<br>
drupal_encode_path use rawurlencode and thus change spaces to %20. The<br>
space change and the lack of encoding the ~ seem to be the only difference<br>
between rawurlencode and urlencode in PHP. (further info here<br>
<a href="http://stackoverflow.com/questions/996139/php-urlencode-vs-rawurlencode" target="_blank">http://stackoverflow.com/questions/996139/php-urlencode-vs-rawurlencode</a> )<br>
<br>
Since drupal_http_build_query was introduced in D7 as was<br>
drupal_encode_path they both seem to have always used rawlurlencode,<br>
however the previous function for the latter was drupal_urlencode which was<br>
a wrapper for urlencode.<br>
<br>
Does anyone know why we switched to using rawurlencode instead of<br>
urlencode? Does anyone have thoughts on switching back to urlencode? I<br>
could just go file a feature request for this, but wanted to get a feel for<br>
the history and reasons for this change first.<br>
<br>
Thanks!<br>
<br>
Cheers,<br>
Kevin O'Brien<br>
Drupal Developer<br>
<a href="http://www.coderintherye.com" target="_blank">http://www.coderintherye.com</a><br>
<a href="tel:415-754-0112" value="+14157540112">415-754-0112</a><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.drupal.org/pipermail/development/attachments/20130321/ec66ca1d/attachment-0001.html" target="_blank">http://lists.drupal.org/pipermail/development/attachments/20130321/ec66ca1d/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 21 Mar 2013 22:16:21 -0600<br>
From: Scott Reynen <<a href="mailto:scott@slicedbreadlabs.com">scott@slicedbreadlabs.com</a>><br>
Subject: Re: [development] rawurlencode vs. urlencode in<br>
drupal_http_build_query and drupal_encode_path<br>
To: <a href="mailto:development@drupal.org">development@drupal.org</a><br>
Message-ID: <<a href="mailto:514BDB15.1070008@slicedbreadlabs.com">514BDB15.1070008@slicedbreadlabs.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
I wasn't around when this happened, but the history is all documented<br>
and searchable, so it didn't take too long to find an answer. While<br>
drupal_urlencode() was a wrapper for urlencode() in D5, it became a<br>
wrapper for rawurlencode() in D6. Here's the commit:<br>
<br>
<a href="http://drupalcode.org/project/drupal.git/commitdiff/f68f52540107a625f326448f413bc323e2138f31" target="_blank">http://drupalcode.org/project/drupal.git/commitdiff/f68f52540107a625f326448f413bc323e2138f31</a><br>
<br>
And here's the related issue with discussion of why that change was made:<br>
<br>
<a href="http://drupal.org/node/191116" target="_blank">http://drupal.org/node/191116</a><br>
<br>
--<br>
Scott Reynen<br>
Sliced Bread Labs<br>
<br>
On 3/21/13 9:22 PM, Kevin O wrote:<br>
> Howdy folks. Due to some draconian anti-SQL injection filters in our<br>
> firewall software, I'm exploring how a few things work with url building<br>
> in Drupal 7 & 8. A particular firewall rule is rejecting %20and%20 which<br>
> unfortunately comes up fairly often with searches and webform, because<br>
> both urls for those get encoded in that way.<br>
><br>
> Now, this filtering is not of course Drupal's problem, but in tracking<br>
> this down, I found that basically, drupal_http_build_query and<br>
> drupal_encode_path use rawurlencode and thus change spaces to %20. The<br>
> space change and the lack of encoding the ~ seem to be the only<br>
> difference between rawurlencode and urlencode in PHP. (further info here<br>
> <a href="http://stackoverflow.com/questions/996139/php-urlencode-vs-rawurlencode" target="_blank">http://stackoverflow.com/questions/996139/php-urlencode-vs-rawurlencode</a> )<br>
><br>
> Since drupal_http_build_query was introduced in D7 as was<br>
> drupal_encode_path they both seem to have always used rawlurlencode,<br>
> however the previous function for the latter was drupal_urlencode which<br>
> was a wrapper for urlencode.<br>
><br>
> Does anyone know why we switched to using rawurlencode instead of<br>
> urlencode? Does anyone have thoughts on switching back to urlencode? I<br>
> could just go file a feature request for this, but wanted to get a feel<br>
> for the history and reasons for this change first.<br>
><br>
> Thanks!<br>
><br>
> Cheers,<br>
> Kevin O'Brien<br>
> Drupal Developer<br>
> <a href="http://www.coderintherye.com" target="_blank">http://www.coderintherye.com</a><br>
> <a href="tel:415-754-0112" value="+14157540112">415-754-0112</a><br>
<br>
<br>
<br>
<br>
------------------------------<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
[ Drupal development list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br>
<br>
End of development Digest, Vol 123, Issue 3<br>
*******************************************<br>
</font></span></blockquote></div><br></div>