You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 15, 2024. It is now read-only.
Values provided to WebAuthenticatorResult as an Uri are not properly url decoded.
Steps to Reproduce
Use WebAuthenticator.AuthenticateAsync to navigate to some authentication endpoint which callback uri has a querystring with parameter values requiring url encoding, such as "some message & stuff". So the callback url will contain a parameter like msg=some+message+%26+stuff or msg=some%20message%20%26%20stuff, depending on the used encoding algorithm.
Get the parameter value from the WebAuthenticatorResult.Get method.
Expected Behavior
Yield a properly decoded value: some message & stuff.
Actual Behavior
Yield a value still url encoded: some+message+%26+stuff.
Basic Information
Version with issue: Likely all since the feature exist. At least current source code and 1.7.5
This code does not parse properly a querystring. Parameters values (but also keys) should be Url decoded, otherwise the parsing is incomplete. System.Net.WebUtility.UrlDecode could do it adequately, if called on extracted keys and values.
Or extract properly the querystring (currently an uri with both a querystring and a hash will have the last querystring parameter value corrupted by appending it with the hash until the next thing looking like a new parameter, which is another latent bug), then call System.Web.HttpUtility.ParseQueryString on it. (But is System.Web an acceptable dependency?)
This said, fixing this may be a possible breaking change.
Description
Values provided to
WebAuthenticatorResultas anUriare not properly url decoded.Steps to Reproduce
WebAuthenticator.AuthenticateAsyncto navigate to some authentication endpoint which callback uri has a querystring with parameter values requiring url encoding, such as "some message & stuff". So the callback url will contain a parameter likemsg=some+message+%26+stufformsg=some%20message%20%26%20stuff, depending on the used encoding algorithm.WebAuthenticatorResult.Getmethod.Expected Behavior
Yield a properly decoded value:
some message & stuff.Actual Behavior
Yield a value still url encoded:
some+message+%26+stuff.Basic Information
Involved code
Essentials/Xamarin.Essentials/Types/Shared/WebUtils.shared.cs
Lines 11 to 43 in 6ec2124
This code does not parse properly a querystring. Parameters values (but also keys) should be Url decoded, otherwise the parsing is incomplete.
System.Net.WebUtility.UrlDecodecould do it adequately, if called on extracted keys and values.Or extract properly the querystring (currently an uri with both a querystring and a hash will have the last querystring parameter value corrupted by appending it with the hash until the next thing looking like a new parameter, which is another latent bug), then call
System.Web.HttpUtility.ParseQueryStringon it. (But is System.Web an acceptable dependency?)This said, fixing this may be a possible breaking change.