From 8b9478f9af8cc5a2cb81eab25e0503759424de69 Mon Sep 17 00:00:00 2001
From: Tieg Zaharia <tieg.zaharia@gmail.com>
Date: Wed, 13 Mar 2024 05:33:08 +0800
Subject: [PATCH] Encode "+" as "%2B" since "+" is a valid SemVer character.
 (#17)

Signed-off-by: Tieg Zaharia <tieg@tidelift.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
---
 packageurl.go      | 4 ++++
 packageurl_test.go | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/packageurl.go b/packageurl.go
index 4f688a8..221f22f 100644
--- a/packageurl.go
+++ b/packageurl.go
@@ -382,6 +382,10 @@ func pathEscape(s string) string {
 		switch {
 		case c == '@':
 			t.WriteString("%40")
+		case c == '+':
+			// url.PathEscape doesn't encode '+' since it's a valid query escape character for ' ' in application/x-www-form-urlencoded, but '+' is a
+			// valid character in semver so we don't want it to be unintentionally unescaped as ' ' by downstream parsers of the purl.
+			t.WriteString("%2B")
 		case c == '?' || c == '#' || c == ' ' || c > unicode.MaxASCII:
 			t.WriteString(url.PathEscape(string(c)))
 		default:
diff --git a/packageurl_test.go b/packageurl_test.go
index 480fba8..d9142ea 100644
--- a/packageurl_test.go
+++ b/packageurl_test.go
@@ -354,8 +354,8 @@ func TestEncoding(t *testing.T) {
 		},
 		{
 			name:     "pre-encoded version is unchanged",
-			input:    "pkg:type/name/space/name@versio%20n?key=value#sub/path",
-			expected: "pkg:type/name/space/name@versio%20n?key=value#sub/path",
+			input:    "pkg:type/name/space/name@versio%20n%2Bbeta?key=value#sub/path",
+			expected: "pkg:type/name/space/name@versio%20n%2Bbeta?key=value#sub/path",
 		},
 		{
 			name:     "unencoded qualifier value is encoded",