Hi James,
> First, I better clarify a major assumption.
> I have been assuming that a percent character will be escaped when encode=true.
> UriBuilder.fromPath("abc%2Fdef", true) -> "abc%252Fdef"
> Is this correct? It seems to be what Jersey does, but the spec is not totally clear. The spec (javadoc) talks about "automatic encoding of illegal characters". Percent characters are not illegal in URIs -- as long as they are followed by a pair of hex digits.
>
The Restlet implementation checks the two signs after the percent and
sees in your case, that "%2F" is fine, and do not encode the percent. If
you give e.g. "ab%JK" it is encoded to "ab%2FJK". While thinking about,
it could be better, to not allow percent encoded values, if the encoding
is on.
> As an alternative way of explaining my point, consider what would happen if encode=true mode did NOT escape '%' characters.
> * 99.99% of encode=true usage is unchanged as raw '%' chars are rarely used in URIs.
> * For the remaining usage, the developer has to write "%25" instead of "%".
> * For handling "uncontrolled" input, the chars that can cause problems goes from 2 {} to 3 {}% -- which cannot make it materially harder. If fact, handling "uncontrolled" input becomes much easier. The caller can escape these 3 chars then keep using encode=true mode (to take care of the context-sensitive & i18n encoding). With the current modes the caller has to switch to encode=false mode. Consequently, they have to do all the context-sensitive and i18n encoding themselves.
> * There is no valid URI that cannot be built in this encode=true mode so encode=false can be eliminated.
>
I disagree. If you get encoded data, e.g. from the current query or from
whereever, I think it is good, if I could directly give it to the
UriBuilder.
best regards
Stephan