url-encoded values in params object

[heartsentwined]

As reported in getoutreach/epf#71. @ghempton suggested that this might be an ember-level issue.

In summary, if your entry URL is /search/便 (just a random non-safe character), the params object will give you Object {search_term: "%E4%BE%BF"}. Should it be Object {search_term: "便"} instead?

[wagenet]

What browser are you using? I suspect this may be a browser bug.

[heartsentwined]

Behavior observed on Firefox 23.0 and Chromium 28.0.1500.71, on Ubuntu 13.04. (Using 1.0.0.rc8)

[heartsentwined]

Unfortunately I cannot get my hands on an IE to test this yet.

[wagenet]

This works fine for me on a Mac with Chrome 29 and FF 23. However, it does not work on Safari 6. Fiddle here: http://jsfiddle.net/M4YJC/1 or http://jsfiddle.net/M4YJC/1/show/#/search/便

This seems like a browser bug, but we may be able to do something about it in Ember.

[heartsentwined]

Thanks for testing. Would dropping a decodeURIComponent on each params member be too expensive for this?

[krisselden]

@heartsentwined and @wagenet if it has already be decoded, then adding another decode could decode characters not meant to be decoded. A fix needs to normalize behavior between browsers, I seen this workaround by splitting the hash off of location.href and decoding it instead of relying on location.hash to be consistently decoded.

[wagenet]

@heartsentwined Would you be interested in attempting a PR for this?

[heartsentwined]

I have no idea on how to fix this while avoiding the double-decoding issue if this is browser-dependent

[krisselden]

@heartsentwined location.href is never decoded, so using it instead of location.hash should avoid double decoding.

[wagenet]

@alexspeller, this seems related to #3396.

[alexspeller]

I believe this is the exact same issue - can anyone confirm the issue is fixed if you use master and enable the query params feature? (i.e. Ember.FEATURES["query-params"] = true immediately after ember loads)

[krisselden]

@wagenet confirm

[wagenet]

@alexspeller Under what circumstances would the app want encoded params?

[heartsentwined]

Was trying to take a stab at it, but further testing shows that this same issue is observed on main route paths themselves too, which #3396 doesn't address. Example:

App.Router.map ->
  @route 'foo', { path: '便' } # again just a non-url-safe character

Entering by /便 gives

Assertion failed: The URL '/%E4%BE%BF' did not match any routes in your application

I'm starting to think whether this should actually belong to the RouteRecognizer, or the router lib, or related libs that ember delegates to - instead of us taking a stab here and there and patching the hash portion, the params portion, and possibly the whole path itself one by one.

@wagenet thoughts?

@alexspeller I think the proper fix and expectation is to decode all parts. Any app that could expect a non-url-safe character is most likely targeting audiences that can read those characters in the first place, instead of just wanting to pass the encoded characters around behind-the-scenes. Like the search term, if ember exposes a universally encoded term, then userland code would like have to (1) decode them to display current search term, (2) decode them to pass to backend API, etc. In short, userland code would be doing the decoding work everywhere, where ember could have handled it centrally in one place.

Use case: any ember app that targets any audience beyond purely-English-speaking fellows.

[dschmidt]

I've been thinking about the issue (I've created #3514). and I was wondering if we could have something like Symfony2 has or how it could be done already (I'm not that familiar with ember yet, sorry).
You can implement an URL generator and a matcher. The standard generator creates links that are percent encoded, but you can for example create your own urlgenerator to use +-encoding for whitespaces e.g..
The matcher is the corresponding counterpart that parses the link.

Handling this centrally and sanely could help with issues I had in the past with "/" in params. They should be encoded when the link is generated imho otherwise a bookmark breaks while clicking a link works.

[alexspeller]

@heartsentwined I agree, decoding and encoding should be automatic.

[heartsentwined]

Sidenote: what should be the expected behavior for the space character? It could come in + or %20 respectively.

[dschmidt]

To me it feels it should be %20 by default (afaik only that's a real standard) but easy to change to + (as that's what I want to use ;-))

[alexspeller]

I think it should just use encodeURIComponent and decodeURIComponent - which spits out %20. Anything else would require crazy special casing and is weird

[dschmidt]

@alexspeller Why not have an abstraction for that?

#3489 talks about a serialize and deserialize function that has been removed. why?! That's exactly what I would do. Even if they only wrap encodeURIComponent and decodeURIComponent it leaves it up for anyone to exchange that implementation.

[wagenet]

@dschmidt serialize and deserialize don't deal in raw URLs, they deal with a params hash. If there is something you can overwrite for this, it should probably be in the Location class.

[heartsentwined]

Overriding Ember.HistoryLocation and Ember.HashLocation should be the "root" way of doing ember-level normalization of this browser difference. But first I need to collect browser behavior data.

I have created a test page that outputs the different properties of the window.location object. Would anyone having apple-based products (mac, iphone, ipad), please visit http://ember-urldecode-test.herokuapp.com/便?便#便 and http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF , and post the output? I have linux (ubuntu 13.04) and android 4.0, and I can get my hands on a windows 7 soon too. If you would like to post results of other different platforms, you are most welcome too.

chromium, linux (ubuntu 13.04):
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#便'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便'

chromium, linux (ubuntu 13.04):
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#%E4%BE%BF'

firefox, linux (ubuntu 13.04):
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便'

firefox, linux (ubuntu 13.04):
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便'

opera, linux (ubuntu 13.04):
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#便'
window.location.pathname = '/便'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便'

opera, linux (ubuntu 13.04):
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/便'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#%E4%BE%BF'

(edited: added encoded-version url entry)

[heartsentwined]

The issue is that, contrary to what @kselden has said, even the encoded/decoded status location.href is not consistent - look at firefox vs the other two above.

[heartsentwined]

Oh and the exact 便 character isn't important, you can use any unsafe character

[heartsentwined]

native browser, android 4
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#%E4%BE%BF'

native browser, android 4
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#%E4%BE%BF'

chrome, android 4
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#便'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便'

chrome, android 4
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '# %E4%BE%BF'

firefox, android 4
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便

firefox, android 4
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便'

opera mini, android 4
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#便'
window.location.pathname = '/便'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便'

opera mini, android 4
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/便'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#%E4%BE%BF'

maxthon, android 4
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#%E4%BE%BF'

maxthon, android 4
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#%E4%BE%BF'

(edited: added encoded-version url entry)

[krisselden]

You have to encode it on the way in for it to be consistent.

[heartsentwined]

@kselden what do you mean? The test code was just

"""
<pre>
window.location.href = '#{window.location.href}'
window.location.pathname = '#{window.location.pathname}'
window.location.search = '#{window.location.search}'
window.location.hash = '#{window.location.hash}'
</pre>
"""

[heartsentwined]

So I was trying to inspect the properties that the location object would give us at first.

[heartsentwined]

Oh wait, I get it, so the entry URL should have been http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF in the first place, in order to be consistent? Unfortunately the decoded form is totally possible too! - a user could type in the decoded form into the address bar and enter the ember app. Just imagine an ember-app, targeting non-English speakers, trying to localize the urls (route paths).

[heartsentwined]

chrome, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#便'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便'

chrome, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#%E4%BE%BF'

firefox, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便'

firefox, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便'

opera, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#便'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#便'

opera, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#%E4%BE%BF'

maxthon, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
(failure:)
- url got interpreted as 'http://ember-urldecode-test.herokuapp.com/便?%AaBK#%E4%BE%BF'
- *not our problem*

maxthon, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
(failure:)
- url got interpreted as 'http://ember-urldecode-test.herokuapp.com/便?%AaBK#%E4%BE%BF'
- *not our problem*

ie, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
(failure:)
- (no reason given)
- *not our problem*

ie, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
window.location.href = 'http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'
window.location.pathname = '/%E4%BE%BF'
window.location.search = '?%E4%BE%BF'
window.location.hash = '#%E4%BE%BF'

[wagenet]

@heartsentwined Looks like this is more complicated than we had hoped. I don't really want to have a ton of Ember code to manage browser inconsistencies and I definitely don't want to have to do browser sniffing (though behavior sniffing is ok). Any ideas?

[krisselden]

@heartsentwined the user typing in a query params seems a dubious concern, but even if they do, decoding it will not be an issue. Regardless it is still consistent encoding the during serialization and decoding during deserialization.

[wagenet]

To clarify what @kselden says, it should work to always extract with location.href and decodeURIComponent then encodeURIComponent when setting. In the event that the browser doesn't encode unicode by default, then calling decodeURIComponent will just pass it through unaltered anyway.

[heartsentwined]

@kselden I agree that nobody would type in query strings, but I am imagining a use case where the user types in the url paths, which have been internationalized for the target audience. Example: while an English-based app might make a song route /song, and reasonably expect/allow the user to enter by typing in /song, the same can be said for a Spanish-based app making a /canción route, and let users in by typing that. (Note /canción = /canci%C3%B3n) I hope the Spanish example would be more familiar to you (I saw you're in Seattle), instead of the Chinese "nonsense" 便. Or another example, someone ambitious enough to build a facebook clone with ember, and allow a user - called José López - to view his profile by example.com/josélópez (example.com/jos%C3%A9l%C3%B3pez).

@wagenet I can make a microlib just for this particular issue, exposing a ConsistentLocation object or something like that. I'm actually surprised we're the first one to run into this issue, googling doesn't give me any pre-existing solution. I mean, we're going to need a microlib either way - if we extract from location.href, then we need to parse the parts (like this lib purl/$.url); or if we want to rely on the individual properties of the location object, then we need a lib to unify them (none that I know of yet).

[krisselden]

Please reread peters comment, there isn't a double decode and it doesn't matter if the browser doesn't percent encode Unicode chars

[heartsentwined]

@kselden yes it isn't a double-decode, I was just pointing out that we should allow reasonably imaginable use cases of entry by the internationalized characters themselves.

[krisselden]

example.com/josélópez and example.com/jos%C3%A9l%C3%B3pez will decode to the same thing, and location.href in the browsers that encode the optionally encoded characters does not encode the meaningful url characters, those still need to be encoded, there is no double decode issue or issue with passing an encoded url.

[krisselden]

the thing you are pointing out with location.href is not the same issue as the location.hash difference

[heartsentwined]

Wait a minute... then why don't we just slap a decodeURIComponent on whatever location.* property we're using? The only edge case where this fails is the %25 literal, where we won't know if it means % (originally encoded), or %25 (originally decoded). But then, this edge case will be present even if we use the location.href anyway, due to its being unreliably encoded or decoded depending on browser. (the double-decoding issue)

My apologies for my own unfamiliarity on this url-encoding issue. slaps myself in face

[heartsentwined]

@wagenet I think we shouldn't encodeURIComponent when setting state though, two reasons:

1. Browser might display the encoded form in the address bar, but I'd venture to say that devs would most likely want a "pretty" (= decoded) url. (e.g., tested with chromium on linux (ubuntu 13.04), history.pushState({}, "", '/便?便#便'); gives the expected url /便?便#便, but history.pushState({}, "", '/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF'); gives a "hybrid" /便?便#%E4%BE%BF).
2. Facilitates internal state comparison. since we store the entry url as decoded, we should also store subsequent state pushes as decoded. This is used, for example, in

   ember.js/packages/ember-routing/lib/location/hash_location.js

   Line 92 in fec92a4

   if (get(self, 'lastSetURL') === path) { return; }

   .

I'll submit a PR once we agree on this one.

[krisselden]

You have to encode params as they may have URL meaningful characters.

[wagenet]

I definitely think encoding should be default. I'm not opposed to an encode method that can be override if you want to come up with your own rules for your app.

[heartsentwined]

I am still skeptical about the need to be URL-safe at this level. As far as I can understand the source, the stored URL is used for:

1. a pseudo-identifier when storing state,
2. display in the address bar,
3. deserializing into a state when a browser has to reload the page.

(1), at the browser level, presumably it has its own standard of encoding/decoding all states, such that it can know that pushing a state with url /便 is the same as pushing one with /%E4%BE%BF. - e.g. the MDN article on the history API. At the ember level, we simply need to be consistent, in order to allow for comparisons between states. Whether they are consistently encoded or decoded doesn't matter in terms of doing comparison.

(2), there are still browser inconsistencies regarding whether it would automatically encode/decode the url, and at which url parts - that, we can't do anything about it. But what we can do, as I have shown in the above snippet, is to "encourage" the browser to display the decoded form by passing in a decoded form at first. - As for why the decoded form? Like I have said earlier, I venture to say that most devs would prefer a pretty, decoded url, instead of an encoded one, as long as they can get away with it.

(3) this occurs, most likely, when the user presses Refresh, or does something like "restore previous session". But this is also the part where things start to break. This is actually easy to test, just try to visit a page with known unsafe characters, in different browsers, and see if they can interpret it. As I have shown above with the different encoded/decoded entry points, two browsers ran into problems (them again - as always!):

maxthon, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
(failure:)
- url got interpreted as 'http://ember-urldecode-test.herokuapp.com/便?%AaBK#%E4%BE%BF'

maxthon, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
(failure:)
- url got interpreted as 'http://ember-urldecode-test.herokuapp.com/便?%AaBK#%E4%BE%BF'

ie, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/便?便#便
(failure:)
- (no reason given)

ie, windows 7
Entry: http://ember-urldecode-test.herokuapp.com/%E4%BE%BF?%E4%BE%BF#%E4%BE%BF
(success)

Maxthon failed either way, so it doesn't matter whether we encode or decode the unsafe characters. IE, however, succeeded in loading (or deserializing) a url when given in encoded form, but failed when not encoded. This, I believe, is the use case that @kselden has in mind. (I don't have any apple-based products, so I have no test results from those platforms.)

From this I also conclude that the standard browser behavior should be allowing URLs with decoded/unsafe characters, decode them on-the-fly when needed, and displaying either the encoded or decoded form in the address bar. - although I cannot find any spec relating to this issue.

Ideally I would like to hear more from other devs and get a consensus on this trade off. Essentially it's "human-friendly-display" vs "IE support". Obviously I lean on the former, because from the look of it, IE (again!) is implementing non-standard behaviors, but I'd respect any community consensus.

P.S.

There is also the use case of passing in some urls to ajax requests, but in that case, the responsibility of ensuring that the url is encoded should rest with the ajax call itself, instead of relying on the "input url" being encoded in the first place. For this reason I think that this is out of scope for this discussion.

[wagenet]

When faced with old IE vs other browsers, we've always supported IE by default with the ability to change the default.

[alexspeller]

Also urls are external - so if a chrome user pastes a link in an email, it should work when sent to an IE user - it's not just a case of being able to have friendly urls for chrome users and different behaviour for ie because this breaks shareability which is fundamentally important IMHO.

[heartsentwined]

@wagenet @alexspeller Agreed on the compatibility and shareability arguments. PR over at #3545

[wagenet]

Closing in favor of any further discussion on the PR.