@tuleap/fetch-result
tries to automatically encode URI using the following code snippet:
export const getURI = (uri: string, params: AutoEncodedParameters = {}): string =>
encodeURI(uri) + getSearchParams(params);
Unfortunately, this is problematic. encodeURI()
does not encode everything we might need and it prevents the caller to use encodeURIComponent()
.
For example with the following URI /some_page/<name>
where <name>
is something dynamic, if you have a name like foo#bar
you will get /some_page/foo#bar
but it is more like you want /some_page/foo%23bar
. The example is bit extreme to demonstrate the issue but it is not that unlikely to encounter one of the non escaped characters in more complex queries (e.g. /api/a?query=<JSON encoded string>
. Also, encodeURI()
will break valid URLs using IPv6 directly because it does not handle the square brackets defined in RFC3986 correctly (again not something common but something it would be preferable not to have to troubleshoot in production...).
The automagic URI encoding cannot really happen because we need to distinguish what is "user" data to what it is not. This is not something we can do when work on an opaque string.