From c7687574de0054959e63992aa88d8b76a02cc825 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Best?= <github@francoisbest.com>
Date: Sat, 23 Nov 2024 16:25:04 +0100
Subject: [PATCH] fix: Encode invisible ASCII control characters (#783)

---
 packages/nuqs/src/url-encoding.test.ts | 6 ++++++
 packages/nuqs/src/url-encoding.ts      | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/packages/nuqs/src/url-encoding.test.ts b/packages/nuqs/src/url-encoding.test.ts
index 88115b8c..c2b45b01 100644
--- a/packages/nuqs/src/url-encoding.test.ts
+++ b/packages/nuqs/src/url-encoding.test.ts
@@ -24,6 +24,12 @@ describe('url-encoding/encodeQueryValue', () => {
     expect(encodeQueryValue('<')).toEqual(encodeURIComponent('<'))
     expect(encodeQueryValue('>')).toEqual(encodeURIComponent('>'))
   })
+  test('hidden ASCII characters are encoded', () => {
+    const chars = Array.from({ length: 32 }, (_, i) => String.fromCharCode(i))
+    chars.forEach(char => {
+      expect(encodeQueryValue(char)).toBe(encodeURIComponent(char))
+    })
+  })
   test('Alphanumericals are passed through', () => {
     const input = 'abcdefghijklmnopqrstuvwxyz0123456789'
     expect(encodeQueryValue(input)).toBe(input)
diff --git a/packages/nuqs/src/url-encoding.ts b/packages/nuqs/src/url-encoding.ts
index b9b8a30b..5ea4bf72 100644
--- a/packages/nuqs/src/url-encoding.ts
+++ b/packages/nuqs/src/url-encoding.ts
@@ -42,6 +42,8 @@ export function encodeQueryValue(input: string) {
       .replace(/`/g, '%60')
       .replace(/</g, '%3C')
       .replace(/>/g, '%3E')
+      // Encode invisible ASCII control characters
+      .replace(/[\x00-\x1F]/g, char => encodeURIComponent(char))
   )
 }