net/url: `QueryEscape` escapes its own escape characters #56503

UndeadBaneGitHub · 2022-10-31T23:53:08Z

$ go version
go1.19.2

But really, affects 1.18 and other versions too

Yes

It's universal anywhere, since it's a bug in logic implementation of internal shouldEscape method

Already escaped string should not be escaped again (example behavior: Javascript encodeURIComponent method and similar)

It gets escaped as many times as the method is called.

The text was updated successfully, but these errors were encountered:

seankhliao · 2022-11-01T00:02:12Z

The + sign carries semantic meaning within url query escaping, in general it won't be possible to know if it has been escaped before.

Closing as working as intended.

UndeadBaneGitHub · 2022-11-01T00:03:00Z

@seankhliao It also escapes % sign as shown in the playground, it is not working as intended.

ianlancetaylor · 2022-11-01T00:04:45Z

The JavaScript encodeURIComponent function also escapes a % character in its input string, encoding it as %25.

We aren't going to make any changes here.

seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Nov 1, 2022

golang locked and limited conversation to collaborators Nov 1, 2023

gopherbot added the FrozenDueToAge label Nov 1, 2023

Provide feedback