Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Broken query params handling behavier on escaped character "%2B" (the "+" symbol) in 1.1.26 #943

Open
kazkazma opened this issue Dec 17, 2024 · 2 comments · May be fixed by #960
Open

Broken query params handling behavier on escaped character "%2B" (the "+" symbol) in 1.1.26 #943

kazkazma opened this issue Dec 17, 2024 · 2 comments · May be fixed by #960
Labels
bug Something isn't working

Comments

@kazkazma
Copy link

What version of Elysia is running?

1.1.26

What platform is your computer?

Microsoft Windows NT 10.0.19045.0 x64

What steps can reproduce the bug?

I found this issue when I tried parsing the ISO8601 string with a positive timezone.

The following reproduce code is a little bit diffrent from the test-case which is at

it('parse + in query', async () => {

import Elysia, { t } from "elysia";

const api = new Elysia().get("", ({ query }) => query, {
  query: t.Object({
    keyword: t.String(),
  }),
});

const url = new URL("http://localhost:3000/");
url.searchParams.append("keyword", "hello+world");
console.log(url.href);    // http://localhost:3000/?keyword=hello%2Bworld

const result = await api
  .handle(new Request(url.href))
  .then((response) => response.json());

console.log(result); 
/* 
{
  keyword: "hello world",    // Should be "hello+world"
}
*/

What is the expected behavior?

When sending the "%2B", should return "+"

What do you see instead?

As downgrading to 1.1.25, the behavier is as expected, which returns a "+".

Additional information

No response

Have you try removing the node_modules and bun.lockb and try again yet?

No response

@kazkazma kazkazma added the bug Something isn't working label Dec 17, 2024
@bogeychan
Copy link
Contributor

bogeychan commented Dec 17, 2024

Thanks for reporting this finding.
You can use new Elysia({ aot: false }) as a workaround.


@SaltyAom, it's not just + but all characters that have some form of escaping.

Stuff like this seems to be the cause:

elysia/src/compose.ts

Lines 794 to 798 in 9ab72e8

if(memory === -1) a${index} = url.slice(start).replace(/\\+|%20/g, ' ')
else {
a${index} = url.slice(start, memory).replace(/\\+|%20/g, ' ')

@shiny
Copy link

shiny commented Jan 26, 2025

I've encountered an issue while developing a URL Shortener that accepts a URL via the query string.

Example long URL

https://example.com/index.html?q=fine&k=fine2

When no guard is applied or aot is disabled, everything works as expected. However, when using t.String() or t.String({ format: 'uri' }) as a guard, things start behaving unexpectedly, the strings after & are truncated, even encodeURIComponented.

the example long URL would be truncated to https://example.com/index.html?q=fine

My Example Code

import { Elysia, t } from "elysia";

const app = new Elysia().get("/", ({ query }) => {
  return `url is ${query.url}`
}, {
  query: t.Object({
    url: t.String({ format: 'uri'})
  })
}).listen(3000);

console.log(
  `🦊 Elysia is running at ${app.server?.hostname}:${app.server?.port}`
);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants