Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encode values #2

Open
CodesInChaos opened this issue Jan 23, 2018 · 3 comments
Open

Encode values #2

CodesInChaos opened this issue Jan 23, 2018 · 3 comments
Labels
enhancement help wanted

Comments

@CodesInChaos
Copy link

This doesn't handle values containing special characters correctly, because it doesn't escape them. This is particularly problematic for & and =, since these will now be interpreted as separate parameters. This could lead to security vulnerabilities, similar to SQL-Injection or XSS.
@NotBad4U
Copy link
Owner

NotBad4U commented Feb 6, 2018

Hi, srry for the delay I was quite busy this weeks.
So yeah that can become a serious problem to not escape them.
I see 2 options:

  • Parse the ident and remove all the = and & symbols on to_query_params call.
  • Parse and panic! if we encounter this symbols. IMO I don't like when a lib panic.

@CodesInChaos
Copy link
Author

Too lazy to dig through the spec right now, but I would expect percent encoding special characters to be the proper approach.

@NotBad4U
Copy link
Owner

I'll try to found some time to look at the spec.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CodesInChaos @NotBad4U