Reject unencoded query delimiters in path query input

cursoragent · shrisukhani · cursoragent · commit e7bb37a4e4ca · 2026-02-13T11:23:30.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/client/base.py b/hyperbrowser/client/base.py
@@ -91,6 +91,10 @@ def _build_url(self, path: str) -> str:
         raw_query_component = (
             stripped_path.split("?", 1)[1] if "?" in stripped_path else ""
         )
+        if "?" in raw_query_component or "#" in raw_query_component:
+            raise HyperbrowserError(
+                "path query must not contain unencoded delimiter characters"
+            )
         if any(
             character.isspace() or ord(character) < 32 or ord(character) == 127
             for character in raw_query_component
diff --git a/tests/test_url_building.py b/tests/test_url_building.py
@@ -326,6 +326,11 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             match="path query must not contain unencoded whitespace or control characters",
         ):
             client._build_url("/session?foo=bar baz")
+        with pytest.raises(
+            HyperbrowserError,
+            match="path query must not contain unencoded delimiter characters",
+        ):
+            client._build_url("/session?foo=bar?baz")
         with pytest.raises(
             HyperbrowserError,
             match="path query must not contain unencoded whitespace or control characters",
