Indy URL Encoding Bug

The TIdURI.ParamsEncode method in the version of Indy that ships with Rad Studio 2007 fails to encode all restricted characters. According to RFC1738:

   Thus, only alphanumerics, the special characters "$-_.+!*'()," (double
   quotes excluded ed.), and reserved characters used for their reserved
   purposes may be used unencoded within a URL.

Unfortunately, rather than encoding everything that is not allowed in the above list, ParamsEncode tries to identify specific characters which should be encoded, and the list that it uses in incomplete. Some snippets from the code illustrate my point:

UnsafeChars = ‘*#%<> []’; {do not localize}

if ((CharIsInSet(ASrc, i, UnsafeChars)) or (not (CharIsInSet(ASrc, i, CharRange(#33,#128))))) then
begin {do not localize}
Result := Result + ‘%’ + Sys.IntToHex(Ord(ASrc[i]), 2); {do not localize}

So ParamsEncode only encodes those characters that are in UnsafeChars or those that fall outside the range #33..#128. Unfortunately, several restricted characters (like double quotes) are inside the range #33..#128 and are not included in UnsafeChars and hence to do not get encoded. Bummer.

As an expedient fix I have taken to calling ParamsEncode and then fixing the characters that got missed in my own code. Longer term, I want to fix ParamsEncode, but that is for another article when I have more time.

Leave a Reply