Closed Bug 1686765 Opened 8 months ago Closed 4 months ago

Implement spec-compliant newline normalization in form payloads

Categories

(Core :: DOM: Forms, task)

task

Tracking

()

RESOLVED FIXED
90 Branch
Tracking Status
firefox90 --- fixed

People

(Reporter: abb, Assigned: abb, NeedInfo)

References

Details

(Keywords: dev-doc-complete)

Attachments

(1 file)

Spec PRs: https://github.com/whatwg/html/pull/6282, https://github.com/whatwg/html/pull/6287 (still under review)
Test PRs: https://github.com/web-platform-tests/wpt/pull/27142, https://github.com/web-platform-tests/wpt/pull/26740 (still under review)

The HTML spec is changing the way form payloads are handled to be more specific and match implementations better, in particular around newline normalization and escaping in multipart/form-data payloads.

https://github.com/whatwg/html/pull/6282 specifies the exact escaping implementations must use for multipart/form-data forms: percent-encoding newlines and double quotes. This goes against Firefox's behavior of replacing newlines with a space and escaping double quotes with a backslash. See the tests FileAPI/file/send-file-form-controls.html and FileAPI/file/send-file-form-punctuation.html.

https://github.com/whatwg/html/pull/6287 changes the way newline normalization works: for multipart/form-data, the spec used to require that form entries which originated from forms were normalized (names and string values, but not filenames or file contents), but not entries added through other means (such as by populating a FormData object from JS, or by modifying the entry list from JS through the formdata event). Now all form entries must be normalized. See FileAPI/file/send-file-formdata-controls.html.

John, is this something you want to fix (at least the changes that are no longer under review)? (And perhaps you're also interested in giving feedback on the proposed changes to these algorithms.)

Component: General → DOM: Forms
Flags: needinfo?(jdai)
Product: Firefox → Core

This doesn't seem like a hard fix, so I'd like to take it up if that's okay. I would appreciate jdai's review here and on the WHATWG PR, though.

I'll take a look. Keep NI for tracking.

See Also: → 1687820
Severity: -- → S3

It seems like the HTML pull request is close to being merged, so John, if you have any feedback, please go ahead and give it.

Status: UNCONFIRMED → NEW
Ever confirmed: true
See Also: → 1697292

This commit also changes the way escapes work in multipart/form-data names and filenames.

Assignee: nobody → abb
Status: NEW → ASSIGNED

jdai: Could you review the revision?

Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/beece7a29ecd
Update newline normalization in form payloads. r=smaug

This revision had to land together with https://phabricator.services.mozilla.com/D108679, since that revision adds the changes needed to the multipart/form-data parser in the WebExtensions API which are needed to get the same result as these changes on the serializer. See bug 1697292. I had linked both revisions, but maybe I got that wrong.

Flags: needinfo?(abb)
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3e05faaa217d
Update newline normalization in form payloads. r=smaug
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
Keywords: dev-doc-needed

Added to release notes.

You need to log in before you can comment on or make changes to this bug.