Title: {urllib,urllib.parse}.urlencode should not use quote_plus
Type: enhancement Stage: commit review
Components: Library (Lib) Versions: Python 3.5
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Jeff.Edwards, Stephen.Day, cvrebert, eric.araujo, ezio.melotti, jin, maker, orsenthil, r.david.murray, ronnix, samwyse, vadmium, wiggin15
Priority: normal Keywords: patch

Created on 2012-01-25 22:12 by Stephen.Day, last changed 2015-04-17 04:18 by vadmium.

File name Uploaded Description Edit
urllib_parse.diff samwyse, 2012-07-14 10:52 patch that adds a 'quote_via' keyword parameter to the urlencode function
issue13866.diff wiggin15, 2015-04-15 14:33
Messages (14)
msg151980 - (view) Author: Stephen Day (Stephen.Day) Date: 2012-01-25 22:12
The current behavior of the urlencode function (2.7: urllib, 3.x: urllib.parse) encodes spaces as pluses:

>>> from urllib import urlencode
>>> urlencode({'a': 'some param'})

However, in most instances, it would be desirable to merely encode spaces using percent encoding:

>>> urlencode({'a': 'some param'})

But there is no way to get this behavior in the standard library. 

It would probably best to change this so it defaults to use the regular quote function, but allows callers who need the legacy quote_plus behavior to pass that in as a function parameter.

An acceptable fix would be to have the quote function taken as a keyword parameter, so legacy behavior remains:

>>> urlencode({'a': 'some param'})

Then the behavior could be adjusted where needed:

>>> from urllib import quote
>>> urlencode({'a': 'some param'}, quote=quote)
msg153251 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2012-02-13 07:23
Stephen - urlencode is responsible for producing the application/x-www-form-urlencoded  format, usually used in the FORMs in the web.
As per the spec, the Space characters are replaced by `+'. -

What you are looking for is probably quote and quote_plus helper functions.

When I had this doubt (long back), I referred to Java's URLEncoder class to see how it was behaving and then looked at the HTML specs. It was kind of standard behavior across different libraries.  Closing this as invalid.
msg153299 - (view) Author: Stephen Day (Stephen.Day) Date: 2012-02-13 20:46
I apologize for reopening this bug, but I find your interpretation to be inaccurate. While technically valid, the combination of the documentation, the function name and the main use cases yields pathological invocations of urlencode. My bug report is to help mitigate these problems.

The main use case for "url encoding" of mapping types is not for posting form data; the main use case is appending url parameters to a url:

>>> from urllib import urlencode
>>> from urlparse import urlunparse
>>> urlunparse(('http', '', '/', None, urlencode({'a': 'some string'}), None))

Any sane person would naturally gravitate to a function called "urlencode" to url encode a mapping type. If the urllib.urlencode function is indeed intended for form-encoding, as I agree is hinted in the documentation, it should indicate that its result is 'application/x-www-form-urlencoded' or it should be called "formencode".

The quote or quote_plus is not at all "what I am looking for"; I am quite familiar with these library functions. These functions are for encoding component strings; they don't meet the use case described at all:

>>> quote({'a': 1})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/", line 1248, in quote
    if not s.rstrip(safe):
AttributeError: 'dict' object has no attribute 'rstrip'

In addition, Java's URLEncoder implementation is hardly a good example of standards compliant URL manipulation. Python is not Java. The Python community needs to make its own, independent, mature language decisions. In general, the use of '+' to encode spaces in content, even if it is compliant against an arbitrary standard, is pathological, especially when used in urls. Even though python's quote_plus function works symmetrically on its own, when pluses are used in a multi-language environment it can become impossible to tell whether a plus is a literal '+' or an encoded space. In addition, the usage of '%20' for spaces will work in almost all cases.

RFC3986, Section 2 [1] describes the use of percent-encoding as a solution to representing reserved characters. In practice, percent-encoding is used on the value component of 'key=value' productions and this works in nearly all cases. The referenced standard [2], while relevant to the "implied" use case, is not applicable to url assembly.

Given your interpretation, it seems that there is no function in the python standard library to meet the use case of correctly assembling url parameter values, leaving application developers to come up with something like this:

>>> '&'.join(['='.join((quote(k), quote(v))) for k,v in {'a': '1', 'b': 'with spaces'}.iteritems()])

In most cases, people will just use urlencode, which uses pluses for spaces, yielding pathological, noncompliant urls.

In deference to this bug closure, there are a few options:

1. Close this issue and keep polluting the world's urls with pluses for spaces.

2. Make urlencode target path/query parameter encoding and then create a new function, formencode, for use in encoding form data, breaking backwards compatibility.

3. Simply add a keyword argument to urlencode to allow the caller to specify the encoding function and separator, retaining compatibility and satisfying all of the above use cases.

Naturally, 3 seems to be a very reasonable solution to this bug.

[1] explicitly covers 
msg154079 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2012-02-23 19:07
A couple of points to help summarize and to help come to a conclusion.

In the initial message, Stephen pointed out, "it would be desirable to merely encode spaces using percent encoding".

It seems to me that only in cases where a custom handling of query string is done, would space be encoded to %20 (or if it's an IRI instead of URI - details below) and for HTTP requests and in both GET and POST, encoding to space in a URI to + is a correct thing to do.

The query part in the URL always needs to follow the application/x-www-form-urlencoded format, so even when urlencode is used for constructing a query parameters, it should encode space to +

The argument that all characters should be hex encoded (and thereby space should be %20), seems to apply if it is an IRI. Look at an interesting discussion in this link:

Only with this point as consideration. I think, sending a parameter for quote to use quote or quote_plus may be worthy option to consider (Stephen's point #3). 

But I have to add that the existing behavior of replacing space with "+" in "URL"s is not breaking anything and in fact is following the rules properly.
msg154082 - (view) Author: Stephen Day (Stephen.Day) Date: 2012-02-23 20:01
While it's likely that adding a `quote`/`quote_plus` function paramater to urlencode is the right solution, I want to ensure that the key point is communicated clearly: encoding a space as a '+' is pathological, in that in the common case, an unescaped encoded character is indistinguishable from a literal '+'. Take the case of the literal string '+ '. If one uses the javascript encodeURI function to encode the string in a browser console, one gets the following:

> encodeURI('+ ')

Now, we have a string that will not decode symmetrically. In other words, we cannot tell if this string should decode to '  ' or '+ '. And while use of encodeURI is discouraged, application developers still use it places, introducing these kinds of errors.

Conversely, we can see that the behavior of encodeURIComponent, is unambiguous:

encodeURIComponent('+ ')

And while these are analogues to quote and quote_plus (there exists now analogue to javascripts urlencode), it's easy to see that disambiguating the encoding of the resulting output of urlencode would be desirable.

There is a similar situation with php library functions. 

Furthermore, it is agreed that urlencode does follow the rules, but the rules, as they are, introduce an asymmetrical, pathological encoding. Most services accept '%20' as space in lieu of '+' when data is encoded as 'application/x-www-form-urlencoded' anyway.

Concluding, I know it seems a little silly to spend time filing this bug and provide relevant cases, but I'd like to cite professional experience in this matter; I have seen "pluses-for-spaces" introduce errors time and time again.
msg165273 - (view) Author: (jin) Date: 2012-07-11 21:21
I just ran into exactly the same problem and was quite disappointed to see that urlencode does not provide an option to use percent encoding.

My use case: I'm preparing some metadata on the server side that is stored as an url encoded string, the processing is done in python.

The metadata is then deocded by a JavaScript web UI.

So I end up with:
urllib.urlencode({ 'key': 'val with space'}) which produces "key=val+with+space" which of course stays that way after processing it with JavaScript's decodeURI().

So basically I seem to be forced to implement my own urlencode function... Most thing I like about python that it always seems to have exactly what one needs, unfortunately not in this specific case.

IMHO Stephen's suggestion #3 makes a lot of sense, while '+' maybe correct for forms, it's simply not useful for a number of other situations and I was really surprised by the fact that there's no standard function that would url-encode with percentage encoding.
msg165439 - (view) Author: Samwyse (samwyse) Date: 2012-07-14 10:52
Since no one else seems willing to do it, here's a patch that adds a 'quote_via' keyword parameter to the urlencode function.

>>> import urllib.parse
>>> query={"foo": "+ "}
>>> urllib.parse.urlencode(query)
>>> urllib.parse.urlencode(query, quote_via=urllib.parse.quote)
msg209342 - (view) Author: Jeff Edwards (Jeff.Edwards) Date: 2014-01-26 18:42
It's interesting how long this issue has been around.  It seems to be because the form-urlencoded spec is specified as url-percent-encoding EXCEPT for ' ' -> '+', which does seem to be unintuitive.

To note, there are a few known cases where the exception does lead to either confusion or outright breakage, such as AWS Signature V4 authentication which requires an an HMAC of the 'canonical' query string which expected the parameters sorted and url encoding where ' ' -> '%20'.  While I do not believe that should be the sole reason to force a change, it does add to the utility of the currently-submitted patch as written.
msg240988 - (view) Author: Arnon Yaari (wiggin15) * Date: 2015-04-14 18:58
Updated patch to the correct format, added a test and some more documentation.
msg241093 - (view) Author: Martin Panter (vadmium) * Date: 2015-04-15 11:17
To be consistent, I think the documentation should mark up the parameters with asterisks: *quote_via*. Also, you lost the markup for :func:`quote_plus`.

The test cases should probably use self.assertEqual(). The “assert” statement is not appropriate for testing because it can be optimized away.

You also need to clarify in the documentation and tests how the “safe” parameter interacts with the choice of quote function. Are slashes encoded or not by default with quote_via=quote?
msg241106 - (view) Author: Arnon Yaari (wiggin15) * Date: 2015-04-15 14:33
Fixed Martin's comments.
msg241200 - (view) Author: Martin Panter (vadmium) * Date: 2015-04-16 03:51
New patch looks good.
msg241279 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2015-04-16 21:44
Martin, if you think the patch is complete and ready to commit, please change the stage to commit review.  I'm trying to encourage core devs to look at the patches in commit review state and commit them :)
msg241309 - (view) Author: Martin Panter (vadmium) * Date: 2015-04-17 04:18
Yep I think this is ready. I’ll keep your advice in mind for other patches as well :)
Date User Action Args
2015-04-17 04:18:21vadmiumsetmessages: + msg241309
stage: patch review -> commit review
2015-04-16 21:44:55r.david.murraysetnosy: + r.david.murray
messages: + msg241279
2015-04-16 03:51:25vadmiumsetmessages: + msg241200
2015-04-15 14:33:13wiggin15setfiles: + issue13866.diff

messages: + msg241106
2015-04-15 14:32:34wiggin15setfiles: - issue13866.patch
2015-04-15 11:17:46vadmiumsetnosy: + vadmium
messages: + msg241093
2015-04-14 18:58:52wiggin15setfiles: + issue13866.patch
versions: + Python 3.5, - Python 3.4
nosy: + wiggin15

messages: + msg240988
2014-05-20 12:59:49facundobatistasetstage: resolved -> patch review
versions: + Python 3.4, - Python 3.3
2014-01-26 18:42:18Jeff.Edwardssetnosy: + Jeff.Edwards
messages: + msg209342
2013-01-07 22:35:16ronnixsetnosy: + ronnix
2012-07-14 10:52:15samwysesetfiles: + urllib_parse.diff
keywords: + patch
messages: + msg165439
2012-07-13 22:42:40samwysesetnosy: + samwyse
2012-07-11 21:21:05jinsetnosy: + jin
messages: + msg165273
2012-02-23 21:22:49cvrebertsetnosy: + cvrebert
2012-02-23 20:01:02Stephen.Daysetmessages: + msg154082
2012-02-23 19:07:22orsenthilsetmessages: + msg154079
2012-02-21 08:53:43makersetnosy: + maker
2012-02-18 10:12:44ezio.melottisetnosy: + ezio.melotti
2012-02-13 20:46:46Stephen.Daysetstatus: closed -> open
resolution: not a bug ->
messages: + msg153299
2012-02-13 07:23:47orsenthilsetstatus: open -> closed
resolution: not a bug
messages: + msg153251

stage: test needed -> resolved
2012-02-03 13:49:25eric.araujosetnosy: + eric.araujo
2012-01-27 23:34:02terry.reedysetnosy: + orsenthil
stage: test needed
type: enhancement

versions: - Python 3.1, Python 2.7, Python 3.2, Python 3.4
2012-01-25 22:12:01Stephen.Daycreate