Differences in parsers can result in security issues under certain circumstances. For example, cache poisoning.
Help me add to this list! Comment below
| Source | Key-value pair delimiters | Issue |
|---|---|---|
| WHATWG Spec | & | |
| Python 3.9.1 | & ; | 42967 |
| Python 3.9.2rc1 | & (Default) | |
| Go 1.16 | & ; | #23447 |
| form_urlencoded 1.0.0 (Rust) | & | |
| Rocket 0.4.7 (Rust) | & | |
| Node 15.9.0 querystring | & (Default) | |
| Node 15.9.0 URLSearchParams | & | |
| qs 6.9.6 (JavaScript) | & (Default) | |
| HttpComponents 5.0.3 (Java) | & ; | |
| Ruby 3.0.0 | & ; | |
| Addressable 2.7.0 (Ruby) | & | |
| PHP 8.0.2 | & (Default) | |
| nginx 1.19.7 | & | |
| minio | & ; | |
| AWS S3 | & |