Is it safe to call base::EscapeQueryParamValue() in the browser process with untrusted inputs?
I noticed that it is not listed in
the rule of 2 safe types, but there is code that seems to call it in the browser process with untrusted input (for instance the "Copy link to highlight" selection right click menu option
seems to, IIUC).
I'm working on some code that requires a url::Origin to be URL-encoded -- we don't trust the renderer process to give us the correct origin. I'm also reviewing some code that might need to encode a URL component as well in the browser process.
Unlike JSON, where we have a
decoder service, I don't think there's an easy way to perform URL component encoding in a utility process?
-Caleb