Specify escaping in the multipart/form-data encoding algorithm

[andreubotella]

The multipart/form-data encoding algorithm, rather than specifying an escape algorithm for names and file names, used to provide a recommendation for escaping, that doesn't match what browsers do. This change specifies the escaping mechanism.

---

This PR is a replacement for #3276, since that PR's changes don't reflect the behavior of current browsers, and it seems to confuse escaping unmappable characters at the character encoding level with escaping bytes as needed for the format.

• At least two implementers are interested (and none opposed):
  • Chrome and Safari implement this
• Tests are written and can be reviewed and commented upon at:
  • WPT: Add form-based file upload coverage web-platform-tests/wpt#8596
  • Test multipart/form-data form submission with controls and punctuation. web-platform-tests/wpt#26556
  • Make the tests for multipart/form-data escapes not tentative web-platform-tests/wpt#27142 makes some tests added in the previous PRs no longer tentative.
• Implementation bugs are filed:
  • Chrome: N/A
  • Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1686765
  • Safari: N/A

(See WHATWG Working Mode: Changes for more details.)

---

/form-control-infrastructure.html ( diff )

[annevk]

should we make "encoding" a reference now and also pass that <var>encoding</var>? It seems your tests account for that.

[andreubotella]

You mean after <span data-x="encode">encoding</span> with <var>encoding</var>?

[annevk]

Yeah.

[annevk]

Thanks, this seems like a good incremental improvement here. Will let @domenic make the final call.

[domenic]

Only editorial concerns.

[domenic]

Thanks, this is much clearer!

[domenic]

Don't forget to file the appropriate Firefox bug for the failing tests in web-platform-tests/wpt#27142, although perhaps you are holding off on doing that until other related spec changes also land.

[andreubotella]

Don't forget to file the appropriate Firefox bug for the failing tests in web-platform-tests/wpt#27142, although perhaps you are holding off on doing that until other related spec changes also land.

I was holding off until I opened #6287 and added some tests for that: https://bugzilla.mozilla.org/show_bug.cgi?id=1686765

[vlsi]

Can you please clarify how server-side software should distinguish filenames like %22.txt vs ".txt?

The line says "must not perform any other escapes", so if the filename was %22.txt, then user agent must pass it as %22.txt, while it should convert filename of ".txt as %22.txt.
That creates ambiguity, so the server-side won't be able to tell the original filename.

Am I missing something?

[andreubotella]

Indeed, currently there is no way for server-side software to tell between those two filenames. There's a proposal to fix this in #7575, but it's not clear that making that change will not break currently existing servers.

Note that this PR made the specification align to what two out of three browser engines (Chrome and Safari) were already doing. And while Firefox's behavior back then did distinguish %22.txt and ".txt, it did conflate newlines and spaces, for example.

[vlsi]

A related issue: it looks like there's no way to tell which encoding did browser use to encode the filename. Does it make sense to add an explicit field for it somewhere?
For instance, a per-Content-Disposition charset or a global, per-form charset.

I'm trying to fix unicode filename upload in Apache JMeter, so I am interested in understanding the encodings better.

[andreubotella]

If the form contains an <input type="hidden" name="_charset_"> field, browsers will automatically populate it with the form submission encoding's name, see the "construct the entry list" algorithm.

But in the general case, the encoding name is not included in the form submission body, and I doubt a proposal to include it would gain much support from browser vendors, since UTF-8 is preferred for modern websites.