Multiline URL Encoded textarea injecting \r\n into strings

[dwarring]

I notice when I type newlines into a text area which is then posted in a form. The line breaks get URL encoded as %0D%0A (carriage-return/line-feed) (both in Chrome and FireFox). These are getting passed all the way through to the query response values.

See screen-shot:

[dwarring]

Pretty sure issue is arising around

cro-http/lib/Cro/HTTP/BodyParsers.pm6

Line 75 in 9fd6382

if $name.contains('%') {

Golfs down to:

my $name = "aa%0D%0Abb";
$name .= subst(:g, /'%' (<[A..Fa..f0..9]>**2)/, {
                            my $ord = :16(.[0].Str);
                            chr($ord)
                        });

dd $name;

producing: Str $name = "aa\r\nbb" (Rakudo 2021.04)

Looks like a Rakudo bug?

[jnthn]

I'm curious, do browsers do this no matter what platform they are running on? I'm also curious if there's precedent for other HTTP libraries doing this normalization. (I can do my own research on both of those, just didn't have time yet.)

[dwarring]

The serialization is being done via the Jquery serialize() method.

They refer to W3C Forms recommendations for application/x-www-form-urlencoded and multipart/form-data

[dwarring]

Fwiw, have now fixed the real issue, a new-line handling bug in CSS::Grammar.