[Libevent-users] evhttp_encode_uri() fails to escape certain characters

[Bas Verhoeven <libevent@xxxxxxxxxx>]

Hello,

While using 'evhttp_encode_uri()' to encode GET & POST fields (I hope 
this is the right function to use) I noticed that a lot of characters 
are not being escaped in the way I would expect them to be escaped.

For example: I would have expected it to encode '+' to '%2B' because it 
will otherwise be treated as a space by the receiving webserver, but it 
didn't.

I can't directly find a good source mentioning all characters that need 
escaping but when looking at the following wikipedia link you can get an 
impression of some of the characters that should be escaped: 
http://en.wikipedia.org/wiki/Percent-encoding.

When I take their first example ( ! * ' ( ) ; : @ & = + $ , / ? # [ ] ) 
and feed it to evhttp_encode_uri() then only 6 out of the 18 characters 
are being escaped:

- Escaped: ; & ? # [ ]
- Not escaped: ! * ' ( ) : @ = + $ , /

Looking at their second example ( < > ~ . " { } | \ - ` _ ^ % <space> ) 
libevent seems to do quite a bit better: 11 out of the 15 characters are 
being escaped, and those are rather harmless:

- Escaped: < > " { } | \ ` ^ % <space>
- Not escaped: ~ . - _

For reference I have also tested this with PHP's 'urlencode()' which 
fully escaped all characters from the first example but skipped the 
following (also rather harmless) characters in the second example: . - _

The second example should be fine, but the first one clearly lists quite 
a few of characters that are not being escaped and that should be escaped.

Could you take a look at this? I hope this is enough information for 
now, but if you want me to do more testing/need more information then 
just let me know.

Before I forget: I tested this with both 2.0.2-alpha and 2.0.7-rc

Sincerely yours,
Bas Verhoeven

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.