Possible bug: new URL(...) changes url by decoding %2B and %26

I noticed that the implementation of URL of the cloudflare worker automatically decodes %2B to + and %26 to &:

console.log( new URL("http://example.com/%2B" ).toString() ) // http://example.com/+
console.log( new URL("http://example.com/%26" ).toString() ) // http://example.com/&

Thus URL changes the passed URL when it contains the characters %2B or %26. This is not the behavior I see when I run the above code in the web console of a browser. In Firefox and Chromium I get:

console.log( new URL("http://example.com/%2B" ).toString() ) // http://example.com/%2B
console.log( new URL("http://example.com/%26" ).toString() ) // http://example.com/%26

This causes a bug in our cloudflare worker when the request url contains %2B or %26. Since we use the URL-interface to rewrite the request url (i.e. changing the domain) these character encodings do not get passed to our backend so that it responses with an error.

Is this a bug in the URL implementation of the cloudflare worker?

For now it’s best to use a library/polyfill

Thx for your fast response :slight_smile:

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.