[development] development Digest, Vol 123, Issue 3
Kevin O
nowarninglabel at gmail.com
Sat Mar 23 01:05:10 UTC 2013
Thanks Scott, I did a fair bit of Googling and searching but managed to not
type the right query to help me find that issue.
Kevin O'Brien
Drupal Developer
http://www.coderintherye.com
415-754-0112
On Fri, Mar 22, 2013 at 5:00 AM, <development-request at drupal.org> wrote:
> Send development mailing list submissions to
> development at drupal.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.drupal.org/mailman/listinfo/development
> or, via email, send a message with subject or body 'help' to
> development-request at drupal.org
>
> You can reach the person managing the list at
> development-owner at drupal.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of development digest..."
>
>
> Today's Topics:
>
> 1. rawurlencode vs. urlencode in drupal_http_build_query and
> drupal_encode_path (Kevin O)
> 2. Re: rawurlencode vs. urlencode in drupal_http_build_query and
> drupal_encode_path (Scott Reynen)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 21 Mar 2013 20:22:28 -0700
> From: Kevin O <nowarninglabel at gmail.com>
> Subject: [development] rawurlencode vs. urlencode in
> drupal_http_build_query and drupal_encode_path
> To: development at drupal.org
> Message-ID:
> <CAKHOBFM=NLv+7QWEQ01L208TaB7YBt=
> 2QpYvEBp0n9iP3hjPEA at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Howdy folks. Due to some draconian anti-SQL injection filters in our
> firewall software, I'm exploring how a few things work with url building in
> Drupal 7 & 8. A particular firewall rule is rejecting %20and%20 which
> unfortunately comes up fairly often with searches and webform, because both
> urls for those get encoded in that way.
>
> Now, this filtering is not of course Drupal's problem, but in tracking this
> down, I found that basically, drupal_http_build_query and
> drupal_encode_path use rawurlencode and thus change spaces to %20. The
> space change and the lack of encoding the ~ seem to be the only difference
> between rawurlencode and urlencode in PHP. (further info here
> http://stackoverflow.com/questions/996139/php-urlencode-vs-rawurlencode )
>
> Since drupal_http_build_query was introduced in D7 as was
> drupal_encode_path they both seem to have always used rawlurlencode,
> however the previous function for the latter was drupal_urlencode which was
> a wrapper for urlencode.
>
> Does anyone know why we switched to using rawurlencode instead of
> urlencode? Does anyone have thoughts on switching back to urlencode? I
> could just go file a feature request for this, but wanted to get a feel for
> the history and reasons for this change first.
>
> Thanks!
>
> Cheers,
> Kevin O'Brien
> Drupal Developer
> http://www.coderintherye.com
> 415-754-0112
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.drupal.org/pipermail/development/attachments/20130321/ec66ca1d/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Thu, 21 Mar 2013 22:16:21 -0600
> From: Scott Reynen <scott at slicedbreadlabs.com>
> Subject: Re: [development] rawurlencode vs. urlencode in
> drupal_http_build_query and drupal_encode_path
> To: development at drupal.org
> Message-ID: <514BDB15.1070008 at slicedbreadlabs.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> I wasn't around when this happened, but the history is all documented
> and searchable, so it didn't take too long to find an answer. While
> drupal_urlencode() was a wrapper for urlencode() in D5, it became a
> wrapper for rawurlencode() in D6. Here's the commit:
>
>
> http://drupalcode.org/project/drupal.git/commitdiff/f68f52540107a625f326448f413bc323e2138f31
>
> And here's the related issue with discussion of why that change was made:
>
> http://drupal.org/node/191116
>
> --
> Scott Reynen
> Sliced Bread Labs
>
> On 3/21/13 9:22 PM, Kevin O wrote:
> > Howdy folks. Due to some draconian anti-SQL injection filters in our
> > firewall software, I'm exploring how a few things work with url building
> > in Drupal 7 & 8. A particular firewall rule is rejecting %20and%20 which
> > unfortunately comes up fairly often with searches and webform, because
> > both urls for those get encoded in that way.
> >
> > Now, this filtering is not of course Drupal's problem, but in tracking
> > this down, I found that basically, drupal_http_build_query and
> > drupal_encode_path use rawurlencode and thus change spaces to %20. The
> > space change and the lack of encoding the ~ seem to be the only
> > difference between rawurlencode and urlencode in PHP. (further info here
> > http://stackoverflow.com/questions/996139/php-urlencode-vs-rawurlencode)
> >
> > Since drupal_http_build_query was introduced in D7 as was
> > drupal_encode_path they both seem to have always used rawlurlencode,
> > however the previous function for the latter was drupal_urlencode which
> > was a wrapper for urlencode.
> >
> > Does anyone know why we switched to using rawurlencode instead of
> > urlencode? Does anyone have thoughts on switching back to urlencode? I
> > could just go file a feature request for this, but wanted to get a feel
> > for the history and reasons for this change first.
> >
> > Thanks!
> >
> > Cheers,
> > Kevin O'Brien
> > Drupal Developer
> > http://www.coderintherye.com
> > 415-754-0112
>
>
>
>
> ------------------------------
>
> --
> [ Drupal development list | http://lists.drupal.org/ ]
>
> End of development Digest, Vol 123, Issue 3
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20130322/bf8437f8/attachment.html
More information about the development
mailing list