π Bug Report β Runtime APIs: URLSearchParams.toString() doesn't escape backslashesΒ #4593
Description
The URLSearchParams spec defines the stringification of URLSearchParams to use the application-x-www-form-urlencoded-percent-encode-set, a subset of which is the userinfo-percent-encode-set, which includes backslash (U+005C) as a character that should be encoded:
U+005B ([) to U+005D (]), inclusive
However, workerd (tested with v1.20250722.0) does not encode backslashes in URLSearchParams. Here is a minimal reproduction of the bug:
# app.capnp
using Workerd = import "/workerd/workerd.capnp";
const config :Workerd.Config = (
services = [
(name = "main", worker = .mainWorker),
],
sockets = [
# Serve HTTP on port 8080.
( name = "http",
address = "*:8080",
http = (),
service = "main"
),
]
);
const mainWorker :Workerd.Worker = (
compatibilityDate = "2023-02-28",
modules = [
(
name = "main.js",
esModule = embed "main.js"
)
]
);
// main.js
export default {
async fetch() {
const urlSearchParams = new URLSearchParams([['key', '\\']]);
const stringifiedUrlSearchParams = urlSearchParams.toString();
console.log(stringifiedUrlSearchParams);
return new Response(stringifiedUrlSearchParams);
},
};The resulting output is key=\
Note that both the browser and NodeJS adhere to the spec.
Browser (Chrome v137.0.7151.122):
> const urlSearchParams = new URLSearchParams([['key', '\\']]);
> urlSearchParams.toString()
'key=%5C'
NodeJS (v22.17.1):
> const urlSearchParams = new URLSearchParams([['key', '\\']]);
> urlSearchParams.toString()
'key=%5C'