Add URL escaping/unescaping for winhttp URL functions.

[zooba]

Fixes #351

[Copilot]

Pull request overview

Fixes #351 by making the WinHTTP URL helpers percent-decode userinfo (and host/path where appropriate) and percent-encode user/password when re-assembling URLs, so that HTTP Basic auth credentials with reserved characters (e.g. @ in SAML/SSO emails) are transmitted correctly. The native helpers also keep an "env-var" escape hatch so that %NAME% placeholders are passed through untouched and sanitise_url is updated to mirror that on both the username and password fields.

Changes:

• Introduce native escape_url_part/unescape_url_part helpers in winhttp.cpp and rewire winhttp_urlopen, winhttp_urlsplit, and winhttp_urlunsplit to decode userinfo/host/path and re-encode credentials, dropping the previous add_nuls/mutating-URL approach.
• Update sanitise_url to also preserve %...%-style usernames (not just passwords) and fix a typo where the password check called startswith twice.
• Add tests for sanitising encoded credentials, round-tripping encoded userinfo through unsanitise_url, percent-decoded credentials in extract_url_auth, and urljoin behavior with %XX segments.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
src/_native/winhttp.cpp	Adds escape/unescape helpers, decodes host/path/credentials before use, re-encodes credentials on unsplit, and switches WinHttpCreateUrl away from ICU_ESCAPE.
src/manage/urlutils.py	sanitise_url now preserves env-var-style usernames and correctly checks password suffix.
tests/test_urlutils.py	Adds sanitise/unsanitise/extract_url_auth cases for percent-encoded userinfo and urljoin cases for encoded path segments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.