Hyperlink should treat + in query as %20

[twm]

Via twisted/klein#339, Hyperlink seems to be percent-encoding the + when parsing the URL:

>>> from hyperlink import parse
>>> u = parse(b"https://localhost/getme?name=hello,%20big+world&value=4321".decode('ascii'))
>>> u
DecodedURL(url=URL.from_text('https://localhost/getme?name=hello,%20big%2Bworld&value=4321'))
>>> u.to_uri().to_text().encode('ascii')
b'https://localhost/getme?name=hello,%20big%2Bworld&value=4321'

This seems like a bug to me. + in the query part should be treated like %20. For example, this is what the web API does:

u = new URL("https://localhost/getme?name=hello,%20big+world&value=4321");
console.log(u.searchParams.get("name"));
// outputs: hello, big world

[wsanchez]

Well, we aren't first.

Brief foray into Stack Overflow seems to yield a lack of consensus as to correctness.

The Query String Article on Wikipedia (under URL Encoding) suggests this is a thing in HTML, which I read as distinct from a web browser… which makes the desired behavior possibly client-specific.

I might be reading the above wrong, and I haven't dug through RFCs for a definitive answer, but it seems like most of the time, replacing + with space is the not right thing to do…?

[mahmoud]

Oh man, I thought I responded to this, but you basically read my mind @wsanchez. It's a web-ism. Might be worth making a default (https is the default scheme in hyperlink after all). But yeah, I grappled with this a bit in my initial work and left the behavior as it is today.

Could make it a flag in .normalize() or similar?

[twm]

Ah, okay, so I am not sure that it need even be a flag. Since the hex-encoded form is universal it is reasonable to canonicalize to that. Noting this behavior in the documentation seems enough of a fix to me.

[twm]

I seem to have confused myself here, so I'm going to retrace my steps. We're trying to make use of Hyperlink in both client and server-side libraries, with slightly different requirements.

1. For a client library (treq) it seems safe to encode space as %20 in all circumstances, rather than using + in querystrings. Any server that parses querystrings will have support for percent-escaped characters.
2. For a server library (Klein) we want to use a DecodedURL instances to represent the request URI, so it must be able to decode querystrings generated by web browsers, which encode spaces as +. That means that this is a problem:

>>> u = DecodedURL.from_text('/foo/?q=a+b')
>>> u.get('q')
['a+b']

In the server-side use case it would be fine if we could pre-normalize the URL or otherwise cause DecodedURL.get() to process + as space, though I think it is still surprising that this isn't the default for http and https schemes. Perhaps there should be an additional parameter to register_scheme() a-la uses_netloc?

[wsanchez]

I agree with 1.

When you say "querystrings generated by web browsers", what's an example of how you get a web browser to generate a query string?

[mahmoud]

<form> submit with "GET" action should do it, yeah?

[wsanchez]

Right, to confirm this awesomeness, I wrote this script:

from textwrap import dedent

from klein import run, route

@route("/")
def home(request):
    request.setHeader("content-type", "text/html")
    return dedent(
        """
        <html>
          <head><title>Form</title></head>
          <body>
            <form action="" method="GET">
              <div>
                <input type="text" name="name" id="name" required>
              </div>
              <div>
                <input type="submit" value="Submit">
              </div>
            </form>
          </body>
        </html>
        """
    )

run("localhost", 8080)

And ran it, entered "hello, world" into the text field, and the URL I'm sent to in the (Safari) browser's location bar is http://localhost:8080/?name=hello%2C+world. The Klein log spits out that request.uri is b'/?name=hello%2C+world'.

So… back to @twm's retracing of steps, it does seem like dealing with web browsers requires that one convert those + characters to spaces at some point.

If Hyperlink doesn't do this, then it would seem like Klein should do on on request URIs, but to do so, it would have to tase out the query part and only do this there, which seems more like Hyperlink's domain…

If Hyperlink does this… let's say by default for simplicity, then the downside is… that someone put a + into a query and meant for that to be a plus, not a space. That someone could have instead encoded that as %2B, so a client like treq always encoding plus and space seems prudent (item 1, again).

It remains unclear by way of standards what a client is supposed to do with an un-encoded plus, I guess "what web browsers do" is the next best thing. Though I'm nervous about what I see in the location bar as

Trying to take HTML out of the picture, here am in the Safari JavaScript console to replicate the Web API @twm referenced:

> url = new URL("http://localhost:8080/?name=hello%2C+world")
< URL {href: "http://localhost:8080/?name=hello%2C+world", origin: "http://localhost:8080", protocol: "http:", username: "", password: "", …}
> url.search
< "?name=hello%2C+world"
> url.searchParams.get("name")
< "hello, world"

So the string representation of the URL leaves + in place. But when you tease our query values, they get converted to space.

So I'm not sure whether the + should be left alone when parsed, or covered to %20. What does seem appropriate is that by the time you get it back via a query API like this:

>>> url = DecodedURL.fromText("https://localhost/getme?name=hello,%20big+world&value=4321")
>>> url.get("name")
['hello, big+world']

…the API should probably have converted the + to a space.

[wsanchez]

@glyph should weigh in here because he wrote some tests in Klein which apparently agree with @twm about this.

[glyph]

DecodedURL should absolutely be converting + to space in this context, but URL should preserve the input format.

[glyph]

Figuring out how all of WhatWG's spec fits together is extremely tedious, but it does contain this gem:

Replace any 0x2B (+) in name and value with 0x20 (SP).

Which suggests... something.

[glyph]

(My understanding from @mahmoud's previous statements is that we are preferring WhatWG to the RFCs in hyperlink, as it's somewhat more up-to-date and pragmatic.)

[mahmoud]

Oh dang, not sure where I gave that impression*. WhatWG is browser/web-focused, I've been trying to make hyperlink more vanilla, not adopting all the HTTP-adjacent assumptions. So, leaning toward the earlier RFCs, using other prominent URL use cases (e.g., git, db drivers) to temper web influences.

I'm not sure what other protocols do with +, but I can see hyperlink being of some help, at least through a flag on parse or URL.normalize. If it's got to go into default behavior, then yeah, DecodedURL would be the spot. + is special, so I'm guessing on serialization, we're all OK if it roundtrips to %20? A flag would make that specialness more explicit.

As an aside, WHATWG's "plain English" description of URL parsing is one of my go-to example of how not to document technical specs. Just give us a good reference implementation already.

[glyph]

+ is special, so I'm guessing on serialization, we're all OK if it roundtrips to %20? A flag would make that specialness more explicit.

No, but, the underlying URL object can easily maintain the relevant state. We already have lots of places where equivalent-when-decoded URLs still manage to round-trip with no loss of information.