fix: parse boolean values in URL query parameters #9722
Conversation
|
Was trying to test this and I realised that the URL params are not enabled by default: Any reason why is that not enabled by default? seems the petstore has it: |
|
Added fix to my fork, it works as intended: |
|
This is such an easy fix ... Why does it takes so long to merge? |
|
Hi @heldersepu,
Please have a look at GHSA-qrmm-w75w-3wpx Long story short, it's a security concern, and there must be an explicit decision to enable the query config. We've explicitly decided to enable it on deployments we control like petstore. |
Please be patient. This is huge and complex software and it's just one piece in the entire Swagger ecosystem. We expedite features and bug-fixes with the speed that matches our resources. |
|
I'm suggesting to rewrite the functions into following form: export const parseSearch = () => {
const searchParams = new URLSearchParams(win.location.search)
if (searchParams.size === 0) return {}
for (const [key, value] of searchParams) {
searchParams.set(key, value === 'true' ? true : value === 'false' ? false : value)
}
return Object.fromEntries(searchParams)
}
export const serializeSearch = (searchMap) => {
const searchParams = new URLSearchParams(Object.entries(searchMap))
return String(searchParams)
}Explanation: instead of using custom search params parsing, the functions now use standardized WHATWG spec compliant parser. |
|
But still IMHO we shouldn't be doing this in this function as this function was designed as general purpose search parameters parser. This should be done only depending on the context. Why only handle for (const [key, value] of searchParams) {
searchParams.set(key, value === 'true' ? true : value === 'false' ? false : value)
} |
I see that two unit tests fail with this: the one I added in this PR and: Will check out how to modify these to make it work. |
Yes because the encoding in the test is no longer compatible with WHATWG spec and how url search params SHOULD be encoded apart from how path segment is encoded. To say it simply - how the path and search params are encoded diverged in WHATWG spec. |
Yes, I think we should also handle these. For The setting will work properly in this case, I'm guessing because of type coercion, here when I set it to 1: |
What I mean by this is that we shouldn't actually do it at all (inside the |
|
We can do this as two PRs. First PR is aligning those two functions with WHATWG spec. The seconds one would actually do the context dependent coercion somewhere in Line 139 in 3b72ee1 |
|
Reverted the changes to I went through the config options and hopefully didn't miss anything. I skipped the options that allow functions. Also tested it manually and an example for these options: 
We can see that:
Deep linking also works, example URL: Let me know if it's intended to support arrays and objects in the URL as well. |
|
Superseded by #9829 |
Refs #9674