decodeURIComponent fails from URI provided from form submit to chrome.webRequest

Question

i have the following situation.

• i do a GET request via an HTML form
  • i have one text field and the field has the contents of << BLAH >alert (”BLAH”);//<</ blah >. It's known invalid, hypothetical markup.
• i have an event listener on webRequest
• i attempt to decodeURIComponent on the full url of the webrequest, trigged by form submission
• decoding fails, contrary to expectation.
  • i expect that decodeURIComponent should be able to decode anything the browser encodes from a form. this appears to be a wrong assumption, or a bug in chrome: 55.0.x*

If the below JS was in a chrome extension, the following snippet would demonstrate the issue.

var filter =  { urls: ['<all_urls>'] }

function handler (details) {
  decodeURIComponent(details.url)
}
chrome.webRequest.onBeforeRequest.addListener(
  handler,
  filter,
  ['blocking', 'requestBody']
)

<form method='get'>
  <input type='text' name='field'/>
  <button type='submit'>submit</button>
</form>

Of course you can't actually run this--webRequest is part of the chrome extension API.

Looking for tips. Thanks!

Answer 1

I had a URI malformed error in Google Chrome, when I tried decoding a string using decodeURIComponent as well. It failed on the % character that was in that string, I did not want any check to happen on the validity of that string. So I ended up using the unescape method intsead: unescape(mystring)

Answer 2

This was root caused down to curly quotes. Chrome doesn't remap any chars on your behalf to be URI friendly. That is '”' !== '"', and my form field was using ”. ” ==> %94. What strange is that the form under the hood doesn't use encodeURIComponent('”') ==> %E2%80%9D. Anyway, decodeURIComponent('%94') blows up.