Faraday is using a custom code to escape parameters instead of CGI.escape

[rubyconvict]

Basic Info

• Faraday Version: all
• Ruby Version: all

Issue description

Faraday is using a custom code to escape parameter characters instead of CGI.escape, written in core library (C) and known to be secure (less code and common sense)?

faraday/lib/faraday/utils.rb

Lines 31 to 35 in 3fc35da

	def escape(str)
	str.to_s.gsub(ESCAPE_RE) do |match|
	"%#{match.unpack('H2' * match.bytesize).join('%').upcase}"
	end.gsub(' ', default_space_encoding)
	end

Steps to reproduce

n/a

[iMacTia]

That's a great question, thanks for asking @rubyconvict.
I had to dig this one as that decision was taken 10 years ago!
From what I understand, CGI.escape works well with Ruby-backed backends (e.g. Rails), but it doesn't produce standard-compliant URLs. For example, spaces are encoded with a + as opposed to the standard %20.
This makes it hard to use when you call an API that is implemented in a different language/framework.
By implementing our own version of escape, we could customize its behaviour in ways that the standard CGI would not allow.

Now, this might well be outdated and maybe the CGI module does now allow for more customization.
I'd be open to hear more counterarguments if there's anyone familiar with this topic