5

Users can search my site. Sometimes they might use a search term containing a forward slash (search with / slash) which when submitted by the form turns into %2F in the url.

For example

www.mysite.com/search/search+with+%2F+slash

I have used the answer from here which works great to give me the right page and not return a 404.

My problem now is I use pagination on the page and custom filters which are both passed as get vars in the url and when accessing the GET var it's empty.

For example

www.mysite.com/search/search+with+%2F+slash?page=2

This is my current route

$this->get('search/{search_term}', ['uses' => 'SearchController@search'])
->where('search_term', '(.*(?:%2F:)?.*)');

Not sure what do from here

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Mark
  • 637
  • 3
  • 14
  • 26
  • You would not have to take care of the encoded characters in the url. That's why I think you have to use a far simpler regex, you have to escape the `?` also I think. – Daniel W. Feb 08 '17 at 17:30
  • I'm not great at regex. Maybe you can offer a regex solution – Mark Feb 08 '17 at 17:35

1 Answers1

0

Including an encoded slash (%2F) in the path component of a URL is not a good idea. The HTTP RFC says that this sequence should be "equivalent" to a real slash:

Characters other than those in the "reserved" and "unsafe" sets (see RFC 2396 [42]) are equivalent to their ""%" HEX HEX" encoding.

In practice, the handling of these URLs is inconsistent. Some web servers (and even some browsers!) will treat %2F as equivalent to a real slash, some will treat it differently, and some tools, including some web application firewalls and proxies, will simply reject URLs which contain such a sequence.

If you need to include user input like this in a URL, you should probably put it in a query string (/search/?q=search+with+%2f+slash).

Community
  • 1
  • 1
  • 1
    Actually, the RFC says it's **not** equivalent to the HEX encoding, as the `/` is part of the reserved set. – aross Sep 05 '17 at 07:49
  • Downvoted because no change and no answer in almost 3 years. This has been a controversial issue on Github as well, as Laravel *clearly* violates the RFC. See here: https://github.com/laravel/framework/pull/4338 – aross Dec 27 '19 at 13:12
  • 1
    @aross agreed. His quoted excerpt of the RFC does not apply to the forward-slash / as it's part of the reserved list. He left out that crucial part of the RFC. – Peter Chaula Jun 28 '22 at 10:57