[development] rawurlencode vs. urlencode in drupal_http_build_query and drupal_encode_path
nowarninglabel at gmail.com
Fri Mar 22 03:22:28 UTC 2013
Howdy folks. Due to some draconian anti-SQL injection filters in our
firewall software, I'm exploring how a few things work with url building in
Drupal 7 & 8. A particular firewall rule is rejecting %20and%20 which
unfortunately comes up fairly often with searches and webform, because both
urls for those get encoded in that way.
Now, this filtering is not of course Drupal's problem, but in tracking this
down, I found that basically, drupal_http_build_query and
drupal_encode_path use rawurlencode and thus change spaces to %20. The
space change and the lack of encoding the ~ seem to be the only difference
between rawurlencode and urlencode in PHP. (further info here
Since drupal_http_build_query was introduced in D7 as was
drupal_encode_path they both seem to have always used rawlurlencode,
however the previous function for the latter was drupal_urlencode which was
a wrapper for urlencode.
Does anyone know why we switched to using rawurlencode instead of
urlencode? Does anyone have thoughts on switching back to urlencode? I
could just go file a feature request for this, but wanted to get a feel for
the history and reasons for this change first.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the development