You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Faraday is using a custom code to escape parameter characters instead of CGI.escape, written in core library (C) and known to be secure (less code and common sense)?
That's a great question, thanks for asking @rubyconvict.
I had to dig this one as that decision was taken 10 years ago!
From what I understand, CGI.escape works well with Ruby-backed backends (e.g. Rails), but it doesn't produce standard-compliant URLs. For example, spaces are encoded with a + as opposed to the standard %20.
This makes it hard to use when you call an API that is implemented in a different language/framework.
By implementing our own version of escape, we could customize its behaviour in ways that the standard CGI would not allow.
Now, this might well be outdated and maybe the CGI module does now allow for more customization.
I'd be open to hear more counterarguments if there's anyone familiar with this topic
Basic Info
Issue description
Faraday is using a custom code to escape parameter characters instead of
CGI.escape
, written in core library (C) and known to be secure (less code and common sense)?faraday/lib/faraday/utils.rb
Lines 31 to 35 in 3fc35da
Steps to reproduce
n/a
The text was updated successfully, but these errors were encountered: