Urls should be safe by default

Following https://github.com/algolia/instantsearch.js/issues/848#issuecomment-191795411 and a support request we had also recently, I believe we should fix our urls.

We will get more and more issues about unsafe urls in the future.

Problem :trollface:

we implemented urls so that they do not look too bad: ?query=&hits=24&idx=instant_search&p=0&nR[price][<=][0]=320&is_v=1

But this is not really standard because most parameters should be encoded so that our urls are compatible with every use case (copy pasting from/to email/app/slack, server side parsing, library parsing…)

Thus it would mean having urls like:

?query=&hits=24&idx=instant_search&p=0&nR%5Bprice%5D%5B%3C%3D%5D%5B0%5D=380&is_v=1

Not so clean and readable but would work everywhere.

Possible solutions 🐴

• allow the helper to always encode. It’s currently disabled and we specifically asked for this feature in the qs project (lol)

This even seem to be backward compatible. It would be a WTF moment for developers but safety first!

• create a brand new stringifier for complex objects => url which would not be based on unsafe characters like [ ] > =

Here we should be careful about URL versions if we want to stay backward compatible (is_v= will help)

• use https://github.com/vjeux/URLON

Help and feedback appreciated.