The HTML spec, as of whatwg/html#6282, specifies that when serializing multipart/form-data payloads, the '\n', '\r' and '\b' characters in names and filenames must be encoded as b"%0A", b"%0D" and b"%22", respectively. This was changed to match Chromium and WebKit's behavior, and Firefox is in the process of implementing this change (Gecko bug 1686765). Note that a '%' character doesn't get replaced by anything, which makes the b"%0A", b"%0D" and b"%22" sequences in the output ambiguous.
Given that, you might expect at least Chromium and WebKit to decode those escapes sequences when parsing multipart/form-data names and filenames. But as it turns out, every implementation leaves those escapes, and any other percent-encodes for that matter, as is.
There is another issue I noticed when parsing names and filenames, and it's related to Firefox's still current behavior when encoding (which will be changed in bug 1686765). Rather than percent-decoding, Gecko instead escaped '"' quotes by prepending a '\\' backslash (without escaping backslashes themselves). Since the value of the name and filename parameters are MIME quoted-strings, it makes sense to support that escape when parsing, but that would conflict with the serialization as currently spec'd.
Furthermore, when combined with other parsing bugs, we have all three implementations successfully parsing the following Content-Disposition header in different ways:
Content-Disposition: form-data; name="test1\"; filename="; filename="test2"
|
Name |
Filename |
| Gecko |
test1\ |
test2 |
| Chromium |
test1"; filename= |
test2 |
| WebKit |
test1\ |
; filename= |
If these behaviors turn out to be required for web compatibility, then it would mean that the multipart/form-data parser we're specifying would have to be specific to Body.prototype.formData() and shouldn't be used for anything else, including new APIs or server implementations. Note that the multipart/form-data parser in Chrome's implementation of the chrome.webRequest.onListener extension API has neither of those problems.
The HTML spec, as of whatwg/html#6282, specifies that when serializing
multipart/form-datapayloads, the'\n','\r'and'\b'characters in names and filenames must be encoded asb"%0A",b"%0D"andb"%22", respectively. This was changed to match Chromium and WebKit's behavior, and Firefox is in the process of implementing this change (Gecko bug 1686765). Note that a'%'character doesn't get replaced by anything, which makes theb"%0A",b"%0D"andb"%22"sequences in the output ambiguous.Given that, you might expect at least Chromium and WebKit to decode those escapes sequences when parsing
multipart/form-datanames and filenames. But as it turns out, every implementation leaves those escapes, and any other percent-encodes for that matter, as is.There is another issue I noticed when parsing names and filenames, and it's related to Firefox's still current behavior when encoding (which will be changed in bug 1686765). Rather than percent-decoding, Gecko instead escaped
'"'quotes by prepending a'\\'backslash (without escaping backslashes themselves). Since the value of thenameandfilenameparameters are MIMEquoted-strings, it makes sense to support that escape when parsing, but that would conflict with the serialization as currently spec'd.Furthermore, when combined with other parsing bugs, we have all three implementations successfully parsing the following
Content-Dispositionheader in different ways:Content-Disposition: form-data; name="test1\"; filename="; filename="test2"test1\test2test1"; filename=test2test1\; filename=If these behaviors turn out to be required for web compatibility, then it would mean that the
multipart/form-dataparser we're specifying would have to be specific toBody.prototype.formData()and shouldn't be used for anything else, including new APIs or server implementations. Note that themultipart/form-dataparser in Chrome's implementation of thechrome.webRequest.onListenerextension API has neither of those problems.