explicitly check for unencoded characters when allowReserved is false

[karenetheridge]

allowReserved defaults to false, but we aren't checking that unencoded characters are appearing in the query parameters section of the request URI -- mojo just happily url-unescapes what it sees, without checking if some things already were un-escaped.

[karenetheridge]

This is very difficult to do because we don't usually have access to the raw request -- we get it as a Mojo::Message::Request which has already been parsed and the query parameters normalized.

Also, Mojolicious serializes to + in query parameters rather than to %20, which is common but still incorrect per RFC3986: https://stackoverflow.com/questions/2678551/when-should-space-be-encoded-to-plus-or-20

And also, the specified serialization formats all violate the RFC as well: OAI/OpenAPI-Specification#1942 (comment)

[karenetheridge]

see also OAI/OpenAPI-Specification#3759