What is encoding characters the URL? Browser or PHP?

Question

Imagine this simple form

<form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="post">
    <fieldset>
        <legend>Contact Me</legend>
        <label for="email">Email:</label>
        <input type="text" name="email" id="email" />
        <button type="submit">Submit</button>
    </fieldset>
</form>

Now imagine it is accessed via form.php?hack=" onsubmit="alert('xss')

The output when I view source is

<form action="/things/?hack=%22%20onsubmit=%22alert(%27xss%27)" method="post">

What is encoding this - is it the browser or PHP?

Outside of curiosity, I always echo $_SERVER['REQUEST_URI'] within htmlspecialchars().

Answer 1

That is done by the browsers, if you are under some PHP framework, some of them also change it. It is similar to what you do using PHP's urlencode function.

Answer 2

If you enter form.php?hack=" onsubmit="alert('xss') into your address field of your browser, it converts it to form.php?hack=%22%20onsubmit=%22alert(%27xss%27) as the " and space characters are not allowed in a URI. So they must be encoded. The ' is allowed in URIs but may also be encoded.