Re: [whatwg/url] Web reality: Filenames should be newline-normalized in urlencoded (#562) from Andreu Botella on 2020-12-17 (public-webapps-github@w3.org from December 2020)

From: Andreu Botella <notifications@github.com>
Date: Thu, 17 Dec 2020 02:48:57 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/562/747363193@github.com>

I've been testing the behavior of browsers in several combination of cases.

Some of the features I was testing weren't available in all browsers. In particular:

- FACEs are only available in Chrome.
- In Safari, the `FormData` object in `FormDataEvent#formData` isn't live – i.e., modifying it doesn't update the entry list.
- Firefox replaces newlines in `multipart/form-data` names and filenames with whitespace – this is currently arguably legal by the spec, it's expected to become illegal when whatwg/html#3276 is merged.

-----

Browsers treat "string/`File`-sourced entries" different from "`FormData`-sourced entries" (these are ad-hoc terms, please don't use them anywhere else): "string/`File`-sourced entries" derive from either an `<input type="hidden">`, an `<input type="file">`, a FACE with a string submission value, or a FACE with a `File` submission value. "`FormData`-sourced entries" derive from a FACE with a `FormData` submission value, or are added to the entry list through the `formdata` event.

"Normalized" here means following the normalization in the "append an entry" algorithm. When used for serializations, it means all names and values are serialized, including string values that come from filenames in the entry list.

- `application/x-www-form-urlencoded` and `text/plain`:
  - String/`File`-sourced entries:
    - When observed from the `formdata` event:
      - Chrome, Safari: names and string values are normalized
      - Firefox: unchanged
    - Serialized as: normalized
  - `FormData`-sourced entries:
    - When observed from the `formdata` event: unchanged
    - Serialized as: normalized*
- `multipart/form-data`:
  - String/`File`-sourced entries:
    - When observed from the `formdata` event:
      - Chrome, Safari: names and string values are normalized
      - Firefox: unchanged
    - Serialized as:
      - Chrome, Safari: names and string values are normalized, filenames are unchanged
      - Firefox: values are normalized (files and filenames N/A)
  - `FormData`-sourced entries:
    - When observed from the `formdata` event: unchanged
    - Serialized as:
       - Chrome: unchanged
       - Firefox: values are normalized (files and filenames N/A)

\*. Chrome treats the serialization of `FormData`-sourced entries differently in the `text/plain` enctype than it and Firefox treat them `urlencoded`: names are unchanged, and so are values which derive from an original string value, but values which derive from an original filename _are_ normalized. This seems to be almost certainly a bug.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/562#issuecomment-747363193

Received on Thursday, 17 December 2020 10:49:10 UTC