URL decode data after splitting the arguments

Data decoding should happen after the parsing if not, a '?', '&', '#'
or other character decoded will interfere with the parsing. e.g. the
users password contains a '&', then it is truncated on that character,
and login will fail.

mastoapi.c

@@ -262,8 +262,7 @@ int oauth_post_handler(const xs_dict *req, const char *q_path,
     }
     else
     if (i_ctype && xs_startswith(i_ctype, "application/x-www-form-urlencoded") && payload) {
-        xs *upl = xs_url_dec(payload);
-        args    = xs_url_vars(upl);
+        args    = xs_url_vars(payload);
     }
     else
         args = xs_dup(xs_dict_get(req, "p_vars"));
@@ -2361,8 +2360,7 @@ int mastoapi_post_handler(const xs_dict *req, const char *q_path,
     {
         // Some apps send form data instead of json so we should cater for those
         if (!xs_is_null(payload)) {
-            xs *upl = xs_url_dec(payload);
-            args    = xs_url_vars(upl);
+            args    = xs_url_vars(payload);
         }
     }
     else
@@ -2959,8 +2957,7 @@ int mastoapi_delete_handler(const xs_dict *req, const char *q_path,
     {
         // Some apps send form data instead of json so we should cater for those
         if (!xs_is_null(payload)) {
-            xs *upl = xs_url_dec(payload);
-            args    = xs_url_vars(upl);
+            args = xs_url_vars(payload);
         }
     }
     else
@@ -3194,8 +3191,7 @@ int mastoapi_patch_handler(const xs_dict *req, const char *q_path,
     {
         // Some apps send form data instead of json so we should cater for those
         if (!xs_is_null(payload)) {
-            xs *upl = xs_url_dec(payload);
-            args    = xs_url_vars(upl);
+            args    = xs_url_vars(payload);
         }
     }
     else

xs_fcgi.h

@@ -179,8 +179,7 @@ xs_dict *xs_fcgi_request(FILE *f, xs_str **payload, int *p_size, int *fcgi_id)
                         req = xs_dict_append(req, "method", v);
                     else
                     if (strcmp(k, "REQUEST_URI") == 0) {
-                        xs *udp = xs_url_dec(v);
-                        xs *pnv = xs_split_n(udp, "?", 1);
+                        xs *pnv = xs_split_n(v, "?", 1);
 
                         /* store the path */
                         req = xs_dict_append(req, "path", xs_list_get(pnv, 0));
@@ -233,8 +232,7 @@ xs_dict *xs_fcgi_request(FILE *f, xs_str **payload, int *p_size, int *fcgi_id)
                 const char *ct = xs_dict_get(req, "content-type");
 
                 if (*payload && ct && strcmp(ct, "application/x-www-form-urlencoded") == 0) {
-                    xs *upl = xs_url_dec(*payload);
-                    p_vars  = xs_url_vars(upl);
+                    p_vars  = xs_url_vars(*payload);
                 }
                 else
                 if (*payload && ct && xs_startswith(ct, "multipart/form-data")) {

xs_httpd.h

@@ -36,7 +36,7 @@ xs_dict *xs_httpd_request(FILE *f, xs_str **payload, int *p_size)
 
     {
         /* split the path with its optional variables */
-        xs *udp = xs_url_dec(xs_list_get(l2, 1));
+        const xs_val *udp = xs_list_get(l2, 1);
         xs *pnv = xs_split_n(udp, "?", 1);
 
         /* store the path */
@@ -75,8 +75,7 @@ xs_dict *xs_httpd_request(FILE *f, xs_str **payload, int *p_size)
     v = xs_dict_get(req, "content-type");
 
     if (*payload && v && strcmp(v, "application/x-www-form-urlencoded") == 0) {
-        xs *upl = xs_url_dec(*payload);
-        p_vars  = xs_url_vars(upl);
+        p_vars  = xs_url_vars(*payload);
     }
     else
     if (*payload && v && xs_startswith(v, "multipart/form-data")) {

xs_url.h

@@ -53,7 +53,7 @@ xs_dict *xs_url_vars(const char *str)
         const xs_val *v;
 
         xs_list_foreach(args, v) {
-            xs *kv = xs_split_n(v, "=", 1);
+            xs *kv = xs_split_n(xs_url_dec(v), "=", 1);
 
             if (xs_list_len(kv) == 2) {
                 const char *key = xs_list_get(kv, 0);