fix(route): safe decode path with % #2434
Conversation
✅ Deploy Preview for rspress ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
|
✅ Deploy Preview for rspress-v2 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull Request Overview
This PR fixes an issue where URLs containing invalid percent-encoded characters (like %dex) would cause decodeURIComponent to throw an error. The fix introduces a safe decoding function that handles malformed percent encodings gracefully.
- Adds
safeDecodeURIComponentfunction to handle malformed percent-encoded URLs - Replaces direct
decodeURIComponentusage innormalizeHrefwith the safe version - Adds test coverage for URLs with invalid percent encoding
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| packages/shared/src/runtime-utils/utils.ts | Implements safe URL decoding function and integrates it into normalizeHref |
| packages/shared/src/runtime-utils/utils.test.ts | Adds test case for URL with invalid percent encoding |
| // decodeURIComponent will throw error if the url is not valid | ||
| // this function will replace the invalid characters with %25 | ||
| export function safeDecodeURIComponent(uri: string) { | ||
| return decodeURIComponent(uri.replace(/%/g, '%25')); |
There was a problem hiding this comment.
Doesn't it change the meaning of original %*? For example if I have a url with %20 which represents a space , after this change, a url contains %20 will be changed as %2520...
cc @SoonIter
There was a problem hiding this comment.
I think this restores the original meaning of the %. For decodeURI, % is an escape character, but in the case of a%b.md, it simply represents the % character itself. To make decodeURI recognize the original meaning of this character, we need to replace % with %25 before using decodeURI.
There was a problem hiding this comment.
It makes %20 unavailable anymore.
There was a problem hiding this comment.
I was thinking too simply. I will try to filter all % encodings.
There was a problem hiding this comment.
Here is my final solution
- Processing strategy:
-
- First attempt direct decoding, return result if successful
-
- If failed, check each %xx sequence individually:
-
- Check if it's a valid hexadecimal format
-
- Try to decode the specific %xx sequence
-
- If decoding fails (e.g., invalid UTF-8 sequence), replace with %25xx
-
- If format is incorrect, replace % with %25
-
- Finally decode the fixed string
-
There was a problem hiding this comment.
sorry, this algorithm is too expensive for us to maintain...
Do other frameworks have this problem, how do they solve it, and are there any available packages already?
Summary
Related Issue
#2372
Checklist