fix: Special characters in list-based where constraints break URL parsing

AdrianCurtin · AdrianCurtin · commit a7d50cf343f4 · 2026-04-18T14:46:16.000-04:00
`whereContainedIn`, `whereNotContainedIn`, and `whereArrayContainsAll` embed String elements into the `where={...}` querystring without URL encoding. `Uri(query: ...)` leaves `&`, `=`, `+`, and `#` as valid query sub-delimiters, so an element like "Peanut Butter & Jelly" causes the server to split the querystring at the literal `&` and reject the request with `code: 102 Invalid parameter for query`. Apply `Uri.encodeComponent` to String elements at constraint-build time, following the pattern introduced in #866 for the scalar `whereEqualTo` / `whereContains` family. Non-String elements (numbers, pointers, etc.) are left untouched.
diff --git a/packages/dart/lib/src/network/parse_query.dart b/packages/dart/lib/src/network/parse_query.dart
@@ -252,7 +252,7 @@ class QueryBuilder<T extends ParseObject> {
   void whereContainedIn(String column, List<dynamic> value) {
     queries.add(
       _buildQueryWithColumnValueAndOperator(
-        MapEntry<String, dynamic>(column, value),
+        MapEntry<String, dynamic>(column, _encodeStringElements(value)),
         '\$in',
       ),
     );
@@ -262,7 +262,7 @@ class QueryBuilder<T extends ParseObject> {
   void whereNotContainedIn(String column, List<dynamic> value) {
     queries.add(
       _buildQueryWithColumnValueAndOperator(
-        MapEntry<String, dynamic>(column, value),
+        MapEntry<String, dynamic>(column, _encodeStringElements(value)),
         '\$nin',
       ),
     );
@@ -312,12 +312,23 @@ class QueryBuilder<T extends ParseObject> {
   void whereArrayContainsAll(String column, List<dynamic> value) {
     queries.add(
       _buildQueryWithColumnValueAndOperator(
-        MapEntry<String, dynamic>(column, value),
+        MapEntry<String, dynamic>(column, _encodeStringElements(value)),
         '\$all',
       ),
     );
   }
 
+  /// Percent-encodes String elements of [value] so that characters such as
+  /// `&`, `=`, `+`, and `#` survive URL querystring parsing when the list is
+  /// serialized into `where={...}` via [buildQuery]. Non-String elements are
+  /// left untouched. Mirrors the per-argument encoding applied by the scalar
+  /// [whereEqualTo] / [whereContains] family of methods.
+  List<dynamic> _encodeStringElements(List<dynamic> value) {
+    return value
+        .map<dynamic>((dynamic e) => e is String ? Uri.encodeComponent(e) : e)
+        .toList();
+  }
+
   /// Returns an object where the [String] column has a regEx performed on,
   /// this can include ^StringsWith, or ^EndsWith. This can be manipulated to the users desire
   void regEx(String column, String value) {
diff --git a/packages/dart/test/src/network/parse_query_test.dart b/packages/dart/test/src/network/parse_query_test.dart
@@ -695,5 +695,51 @@ void main() {
 
       expect(queryString, equals(expectedQueryString.toString()));
     });
+
+    test(
+        'list-based where methods encode special characters in String elements',
+        () {
+      // arrange
+      final queryBuilder = QueryBuilder.name('Diet_Plans');
+
+      // act
+      queryBuilder.whereContainedIn('topics', <dynamic>[
+        "RFI's & Change Orders",
+        'Schedule (Impacts, Delays, Inspections)',
+      ]);
+      queryBuilder.whereNotContainedIn('excluded', <dynamic>['a=b', 'c+d']);
+      queryBuilder.whereArrayContainsAll('tags', <dynamic>['x#y', 'z&w']);
+
+      // assert
+      final queryString = queryBuilder.buildQuery();
+      const encodedAmp = '%26'; // &
+      const encodedEq = '%3D'; // =
+      const encodedPlus = '%2B'; // +
+      const encodedHash = '%23'; // #
+
+      expect(queryString, contains(encodedAmp));
+      expect(queryString, contains(encodedEq));
+      expect(queryString, contains(encodedPlus));
+      expect(queryString, contains(encodedHash));
+
+      // Ensure the raw unencoded delimiters do NOT appear inside the JSON
+      // values (they would break querystring parsing on the server).
+      expect(queryString.contains('& Change Orders'), isFalse);
+      expect(queryString.contains('a=b'), isFalse);
+      expect(queryString.contains('c+d'), isFalse);
+      expect(queryString.contains('x#y'), isFalse);
+    });
+
+    test('list-based where methods leave non-String elements untouched', () {
+      // arrange
+      final queryBuilder = QueryBuilder.name('Diet_Plans');
+
+      // act
+      queryBuilder.whereContainedIn('nums', <dynamic>[1, 2, 3]);
+
+      // assert
+      final queryString = queryBuilder.buildQuery();
+      expect(queryString, contains('"\$in":[1,2,3]'));
+    });
   });
 }
