I applied to a company for developer role. However, when I usually apply for jobs I usually add the company name to my email. For instance myemail@test.com becomes myemail+companyname@test.com. Totally valid way to keep track of who perhaps leaked your email.
So now this company sent me a link to a test they wanted me to take with my email address as a query parameter. Question to the class, does anyone see the problem in this link?
https://linktotest.com/schedule?email=myemail+companyname@test.com
No? Let's talk about URL encoding. URLs use specific characters for structure. For instance, :, /, ?, = and + are all valid structural parts of this URL
https://www.mywebsite.com/path?type=star+wars
But what happens when we want to use those same characters as data and not structure in the URL?
Say that in the query params, we want to pass the email(Very insecure, do not do this)
https://emailfinder.com?email=user@email.com
but this user is like me and has a + in their email so now we have
https://emailfinder.com?email=user+tracker@email.com
plaintext
These query params are not the same.
For the first one translates to
email = "user@email.com"
plaintext
And the second
email = "user tracker@email.com"
plaintext
The + symbol encodes a single whitespace in the URL IFF(if and only if) it occurs in query params!!! When + occurs before the ? then it is just a plus symbol. And this explains why it causes bugs sometimes.
Path: /files/hello+world.txt → + is a LITERAL plus sign
Query: ?search=hello+world → + is a SPACE
plaintext
So now the link the company sent me kept raising an error saying this email doesn't exist.
The fix?
Encode the + symbol. so
https://emailfinder.com?email=user%2Btracker@email.com
You can read a breakdown on URL Encoding here here
After making that substitution, it worked and I was able to schedule my interview. Fingers crossed I pass the interview, but it was a fun edge case to run into.
Top comments (0)