-
-
Notifications
You must be signed in to change notification settings - Fork 10.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#4605 match.params aren't URI decoded - further test #6578
#4605 match.params aren't URI decoded - further test #6578
Conversation
I have prepared a fix, which I have added to this PR. I don't think that the URI decoding relevant to this bug should be happening in I believe that the Hope this helps, Rich |
With
decodedLocation.pathname = "/message/%20 is the space octet"
<Route path="/message/:message" />
params = { message: " is the space octet" }
I haven't discussed this with any of the other maintainers, but I think that it might be beneficial to add a <Route path="/artist/:name" decode ... /> That should solve the problem in this PR while letting anyone that knows that they have params that are unsafe to decode to skip the decoding. (The inverse solution of providing a prop to not decode is also possible) v6 will expect Thoughts? |
I don't fully understand your comment. My initial reaction is that it doesn't really make sense, and you are trying to shoe-horn two incompatible concepts (URLs and some kind of more general "path") into a single library, which is causing you irreconcilable type errors. I think you need to 1) actually specify what /type/ is held in the various values here and 2) enforce that consistently (which is hard in an untyped language). I think you are building on sand by proposing a user-specified "encoding" which may or may not be compatible with URL encoding. In the meantime, I do think the proposed patch here is a) correct, b) an improvement on what is currently in the codebase and c) fixes a real bug. So I would suggest merging this patch and moving more theoretical discussions about "the user will be responsible for providing the correct encoding" in future versions to a different thread. |
I will move the decoding issue elsewhere, but I'm against merging this PR at this point. It might be the correct decision in v6, but we'll cross that bridge when we get there. |
Are you saying that the path params should never be decoded? I think that is unconventional to the point of being wrong, but I suppose it could work if it is documented and applied consistently. Currently the codebase is somewhere half way between the two viewpoints. |
I think that a param should be decoded. My worry is that if we call This is all stemming from the I really just don't want to further break things by adding automatic decoding unless we can be certain that it will give the correct output. Once all Maybe I'm overthinking it; v4's behavior would already make the |
I think so. I would bet that everyone is using "web safe" path params, because they can't rely on the current behaviour. I don't think you need to worry about backwards-compatibility here, as there is clearly a bug, as evidenced by #4605, this issue and the unit tests I added. |
I'm still slightly hesitant about blanket decoding every param. It is probably the ideal default behavior, but I wonder if anyone would want the ability to keep their params encoded. I'll leave the decision of whether to merge this as is or allow non-decoded params up to the other maintainers. As an aside, I think that the title of this PR could be more clear. Something like "automatically decode params using decodeURIComponent" or "decode param characters not decoded by decodeURI". The latter describes what the PR fixes today, while the former describes what RR will want to do once // characters not decoded by decodeURI
; , / ? : @ & = + $ # |
I can't think of any reason why they might want this. I'll leave it with you.
I disagree, I think "match.params aren't URI decoded" is a reasonable description of the bug. Part of the confusion might be that the builtin function "decodeURI" is poorly named and not very useful, for historical reasons. This SO explains some of the differences: https://stackoverflow.com/a/3608791/8261 "decodeURIComponent"/"encodeURIComponent" is correct for URL path parameters, which is the context we are discussing. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I really hate "stale bot". This is a real bug in |
What is the recommended workaround for this issue? Just noticed it upgrading from v3 to v5 |
@suprMax We found a solution! The biggest cause of this bug was actually pointed earlier in this thread. Huge thank you and props to @RichardBradley for the deep digging to find the baneful use of
It appears that @pshrmn didn't really understand the URI specification and has introduce this situation. The workaround is to:
I've got a sandbox showing this off. |
decodeURI decodes paths in a very strange way. This should hopefully solve remix-run#786. This will need to be coupled with a PR in react-router remix-run/react-router#6578.
Submitted PR on history project remix-run/history#797 that I'm hoping is the other half of this issue. I am in favor of this PR, as it causes some weird gaps in support for %-encoded path segments for me which at the moment might force a home-grown replacement for a project, which I'd really rather avoid. |
Thanks for everybody's work on this. I'm closing issues that are old, if they are still problems please open a new issue and reference this one. We will be a lot more attentive now that our software is our sole focus and we survived 2020 😅. Thanks! |
Hi,
I think that #4605 is still not fixed, as this test demonstrates.
I will attempt to fix, but I can't guarantee I will succeed. I think the fix needs to be in
history
, and that the path component decoding function needs to bedecodeURIComponent
, rather thandecodeURI
. For that to work, we need to rearrange the parsing so that decoding happens after parsing (I think this commit does it before parsing), otherwise the parse will be ambiguous.I think that the current code shows confusion around types, e.g. the line I linked to above
pathname = decodeURI(pathname)
shows that the distinction between encoded URIs and values used as path parameters is not being properly maintained, which has led to this bug IMO. Decoded path parameters are of a different type to encoded URIs, so the two should not be stored in the same variable without inviting confusion and bugs.Thanks,
Rich