Skip to content

fix(http): Properly URL-encode key and values during x-www-form-urlencoded POSTs #8037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

fix(http): Properly URL-encode key and values during x-www-form-urlencoded POSTs #8037

wants to merge 8 commits into from

Conversation

theproducer
Copy link
Contributor

This PR fixes keys and values that were not url-encoded in CapacitorHttp on iOS during application/x-www-form-urlencoded HTTP POST requests.

closes: #7840

jcesarmobile
jcesarmobile reviewed Jul 1, 2025
View reviewed changes
ios/Capacitor/Capacitor/Plugins/CapacitorUrlRequest.swift Outdated
@@ -40,8 +40,11 @@ open class CapacitorUrlRequest: NSObject, URLSessionTaskDelegate {
throw CapacitorUrlRequestError.serializationError("[ data ] argument for request with content-type [ multipart/form-data ] may only be a plain javascript object")
}

let allowed = CharacterSet(charactersIn: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
let allowed = CharacterSet(charactersIn: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._")
let allowed = CharacterSet(charactersIn: "-._*").union(.alphanumerics)

This can be simplified with an union to .alphanumerics instead of typing them all
Also added * to match Android behavior, which uses URLEncoder.encode and according to the docs the * should remain the same:

The special characters ".", "-", "*", and "_" remain the same.
https://docs.oracle.com/javase/8/docs/api/java/net/URLEncoder.html#encode-java.lang.String-java.lang.String-

I've noticed that this is also encoding the keys, tested and web also encodes the keys, but Android doesn't encode the keys.
Not sure which one should be the correct behavior, but I think all the 3 platforms should behave the same way, so all of them should encode the keys or none should.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another thing, on web and Android whitespace ( ) is converted to +, while on iOS it's getting converted into %20.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure which one should be the correct behavior, but I think all the 3 platforms should behave the same way, so all of them should encode the keys or none should.

According to MDN, keys being encoded is the correct behavior. However, changing it on Android could be seen as breaking, unless we categorize non-encoded keys as a bug (which I do).

What do you think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, it should be considered a bug and should be fixed

@theproducer theproducer requested a review from jcesarmobile July 2, 2025 18:41
@jcesarmobile jcesarmobile changed the title fix(iOS): Properly URL-encoding key and values during x-www-form-urlencoded POSTs fix: Properly URL-encoding key and values during x-www-form-urlencoded POSTs Jul 3, 2025
@jcesarmobile jcesarmobile changed the title fix: Properly URL-encoding key and values during x-www-form-urlencoded POSTs fix(http): Properly URL-encode key and values during x-www-form-urlencoded POSTs Jul 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcesarmobile jcesarmobile jcesarmobile approved these changes

@OS-kepatotorica OS-kepatotorica OS-kepatotorica approved these changes

@markemer markemer Awaiting requested review from markemer

@Chuckytuh Chuckytuh Awaiting requested review from Chuckytuh

@benmccarty91 benmccarty91 Awaiting requested review from benmccarty91

@trevor-lambert trevor-lambert Awaiting requested review from trevor-lambert

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Capacitor HTTP POST application/x-www-form-urlencoded body not encoded on iOS
3 participants
@theproducer @jcesarmobile @OS-kepatotorica