feat: use qs_dart in buildUrlString for enhanced query string encoding (#158)

* ➕ add qs_dart and validators dependencies

* ⚡ improve URL validation and query parameter handling in buildUrlString

* ✅ enhance URL parameter handling tests in buildUrlString

* 📝 update error message for invalid URL in buildUrlString

* ⬆️ bump qs dependency

Author: techouse

lib/utils/query_parameters.dart

@@ -1,69 +1,36 @@
+import 'package:qs_dart/qs_dart.dart' as qs;
+import 'package:validators/validators.dart' as validators;
+
 /// Takes a string and appends [parameters] as query parameters of [url].
 ///
-/// It validates the URL structure and properly encodes both keys and values
-/// to prevent URL injection attacks.
+/// Throws [ArgumentError] if [url] is not a valid URL.
 String buildUrlString(String url, Map<String, dynamic>? parameters) {
-  // Avoids unnecessary processing.
-  if (parameters == null) return url;
-
-  // Check if there are parameters to add.
-  if (parameters.isNotEmpty) {
-    // Validate URL structure to prevent injection
-    // First check if it looks like a valid HTTP/HTTPS URL
-    if (!url.startsWith('http://') && !url.startsWith('https://')) {
-      throw ArgumentError(
-        'Invalid URL structure: $url - must be a valid HTTP/HTTPS URL',
-      );
-    }
-
-    try {
-      final uri = Uri.parse(url);
-      // Additional validation: ensure it has a host
-      if (uri.host.isEmpty) {
-        throw ArgumentError(
-          'Invalid URL structure: $url - must have a valid host',
-        );
-      }
-    } catch (e) {
-      if (e is ArgumentError) {
-        rethrow;
-      }
-      throw ArgumentError('Invalid URL structure: $url');
-    }
+  late final Uri uri;
 
-    // Checks if the string url already has parameters.
-    if (url.contains("?")) {
-      url += "&";
-    } else {
-      url += "?";
+  try {
+    if (!validators.isURL(url)) {
+      throw FormatException('Invalid URL format');
     }
-
-    // Concat every parameter to the string url with proper encoding
-    parameters.forEach((key, value) {
-      // Encode the key to prevent injection
-      final encodedKey = Uri.encodeQueryComponent(key);
-
-      if (value is List) {
-        if (value is List<String>) {
-          for (String singleValue in value) {
-            url += "$encodedKey=${Uri.encodeQueryComponent(singleValue)}&";
-          }
-        } else {
-          for (dynamic singleValue in value) {
-            url +=
-                "$encodedKey=${Uri.encodeQueryComponent(singleValue.toString())}&";
-          }
-        }
-      } else if (value is String) {
-        url += "$encodedKey=${Uri.encodeQueryComponent(value)}&";
-      } else {
-        url += "$encodedKey=${Uri.encodeQueryComponent(value.toString())}&";
-      }
-    });
-
-    // Remove last '&' character.
-    url = url.substring(0, url.length - 1);
+    uri = Uri.parse(url);
+  } on FormatException {
+    throw ArgumentError.value(url, 'url', 'Must be a valid URL');
   }
 
-  return url;
+  return parameters?.isNotEmpty ?? false
+      ? uri
+          .replace(
+              query: qs.encode(
+                <String, dynamic>{
+                  ...uri.queryParametersAll,
+                  ...?parameters,
+                },
+                qs.EncodeOptions(
+                  listFormat: qs.ListFormat.repeat,
+                  skipNulls: false,
+                  strictNullHandling: false,
+                ),
+              ),
+              queryParameters: null)
+          .toString()
+      : url;
 }

pubspec.yaml

@@ -12,6 +12,8 @@ environment:
 
 dependencies:
   http: ^1.2.1
+  qs_dart: ^1.3.8
+  validators: ^3.0.0
 
 dev_dependencies:
   lints: ^4.0.0