Single quote gets escaped by chrome

[gbishop]

I'm trying to use jsurl but the single quotes are getting converted to %27 by chrome and then parsing breaks... Maybe I don't understand how I'm supposed to use it? Do I need to URIEncode after JSURL.stringfy? And decode before JSURL.parse?

[akleiber]

I am having the same problem

[bjouhier]

encodeURIComponent is the recommended function to encode URL parameters and this function does not encode single quotes. But some browsers do encode them to protect against HTML injection (see first answer to http://stackoverflow.com/questions/75980/when-are-you-supposed-to-use-escape-instead-of-encodeuri-encodeuricomponent and https://bugs.chromium.org/p/chromium/issues/detail?id=292740). This was not the case when I designed JSURL (2011) and it came as a bad surprise.

The problem can be solved by replacing %27 by ' before passing strings to JSURL.parse. There is no need to do any replacement in the other direction (JSURL.stringify) because ' can be passed unescaped.

I'm going to fix the problem in JSURL itself. JSURL.parse will do the replacement.

[bjouhier]

@akleiber I just published 0.1.3 to NPM, with the fix.

@gbishop I missed the issue when you posted it. Sorry for that.

[akleiber]

Wow. That was fast. Thank you very much!

Am 16.04.2016 um 00:17 schrieb Bruno Jouhier <notifications@github.commailto:notifications@github.com>:

@akleiberhttps://github.com/akleiber I just published 0.1.3 to NPM, with the fix.

@gbishophttps://github.com/gbishop I missed the issue when you posted it. Sorry for that.

You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHubhttps://github.com//issues/6#issuecomment-210666995