应该使用encodeURI吗? [英] should encodeURI ever be used?
问题描述
javascript的encodeURI函数是否有用?
据我所知,当您尝试发出HTTP请求时,您应该: / p>
- 一个完整的URI
- 你想要放入URI的一些片段,它是一个unicode字符串或UTF-8字节序列
在第一种情况下,显然不需要做任何事情来请求它。注意:如果您确实想将其作为参数传递(例如?url = http ...),那么您实际上有第二种情况的实例看起来像一个URI。
在第二种情况下,您应始终将unicode字符串转换为UTF-8,然后在将其添加到URI之前调用encodeURIComponent以转义所有字符。 (如果您有UTF-8字节序列而不是unicode字符串,则可以跳过convert-to-utf8步骤。)
假设我没有错过任何内容,我可以看不到encodeURI的有效用途。如果你使用它,很可能你构造了一个无效的URI,然后尝试在事后消毒它,这是不可能的,因为你不知道哪些字符是字面上的意图,哪些是打算转义的。
我看到很多反对使用escape()的建议,但是没有看到任何人阻止encodeURI。我错过了有效用途吗?
我有博客文章,详细解答了这个问题。
您应从不使用 encodeURI 以编程方式构建URI,原因如您所知 - 您应该始终使用单个组件上的 encodeURIComponent ,然后将它们组成一个完整的URI。
其中 encodeURI 几乎有用的是清理URI,符合 Postel定律(你接受的是自由,你发送的是保守的。)如果有人给你一个完整的URI,它可能包含非法字符,如空格,某些ASCII字符(例如双引号)和Unicode字符。 encodeURI 可用于将这些非法字符转换为合法的百分比转义序列,而无需编码分隔符。同样, decodeURI 可用于漂亮地打印URI,将百分比转义序列显示为技术上非法的裸字符。
例如,网址:
http://example.com/admin/login?name=Helen Ødegård& gender = f
是非法的,但它仍然是完全明确的。 encodeURI 将其转换为有效的URI:
http://示例.com / admin / login?name = Helen%20%C3%98deg%C3%A5rd& gender = f
可能希望执行此类URI清理的应用程序示例是Web浏览器。当您在地址栏中键入URL时,它应该尝试将任何非法字符转换为percent-escapes,而不是仅仅出错。处理URI的软件(例如,想要获取页面上超链接中的所有URL的HTML scraper)也可能希望应用此类清理,以防任何URL在技术上是非法的。
不幸的是, encodeURI 有一个严重的缺陷,即它会逃脱'%'字符,这使得它对于URI清理完全没用(它会加倍 - 转义任何已经有百分之转义的URI。因此,我借用了 Mozilla的fixedEncodeURI 功能并对其进行了改进,以便正确清理URI:
function fixedEncodeURI(str){
return encodeURI(str).replace(/%25 / g, '%')。replace(/%5B / g,'[').replace(/%5D / g,']');
}
所以你应该总是使用 encodeURIComponent 在内部构造URI。你应该永远不要使用 encodeURI ,但你可以使用我的 fixedEncodeURI 来尝试清理已经存在的URI从外部源提供(通常作为用户界面的一部分)。
Is there any valid use for javascript's encodeURI function?
As far as I can tell, when you are trying to make a HTTP request you should either have:
- a complete URI
- some fragment you want to put in a URI, which is either a unicode string or UTF-8 byte sequence
In the first case, obviously nothing needs to be done to request it. Note: if you actually want to pass it as a parameter (e.g ?url=http...) then you actually have an instance of the second case that happens to look like a URI.
In the second case, you should always convert a unicode string into UTF-8, and then call encodeURIComponent to escape all characters before adding it to a URI. (If you have a UTF-8 byte sequence instead of a unicode string you can skip the convert-to-utf8 step).
Assuming I havent missed anything, I can't see a valid use for encodeURI. If you use it, it's likely you've constructed an invalid URI and then attempted to "sanitize" it after the fact, which is simply not possible since you don't know which characters were intended literally, and which were intended to be escaped.
I have seen a lot of advice against using escape(), but don't see anybody discouraging encodeURI. Am I missing a valid use?
I have a blog post which answers this question in a lot of detail.
You should never use encodeURI to construct a URI programmatically, for the reasons you say -- you should always use encodeURIComponent on the individual components, and then compose them into a complete URI.
Where encodeURI is almost useful is in "cleaning" a URI, in accordance with Postel's Law ("Be liberal in what you accept, and conservative in what you send.") If someone gives you a complete URI, it may contain illegal characters, such as spaces, certain ASCII characters (such as double-quotes) and Unicode characters. encodeURI can be used to convert those illegal characters into legal percent-escaped sequences, without encoding delimiters. Similarly, decodeURI can be used to "pretty-print" a URI, showing percent-escaped sequences as technically-illegal bare characters.
For example, the URL:
http://example.com/admin/login?name=Helen Ødegård&gender=f
is illegal, but it is still completely unambiguous. encodeURI converts it into the valid URI:
http://example.com/admin/login?name=Helen%20%C3%98deg%C3%A5rd&gender=f
An example of an application that might want to do this sort of "URI cleaning" is a web browser. When you type a URL into the address bar, it should attempt to convert any illegal characters into percent-escapes, rather than just having an error. Software that processes URIs (e.g., an HTML scraper that wants to get all the URLs in hyperlinks on a page) may also want to apply this kind of cleaning in case any of the URLs are technically illegal.
Unfortunately, encodeURI has a critical flaw, which is that it escapes '%' characters, making it completely useless for URI cleaning (it will double-escape any URI that already had percent-escapes). I have therefore borrowed Mozilla's fixedEncodeURI function and improved it so that it correctly cleans URIs:
function fixedEncodeURI(str) {
return encodeURI(str).replace(/%25/g, '%').replace(/%5B/g, '[').replace(/%5D/g, ']');
}
So you should always use encodeURIComponent to construct URIs internally. You should only never use encodeURI, but you can use my fixedEncodeURI to attempt to "clean up" URIs that have been supplied from an external source (usually as part of a user interface).
这篇关于应该使用encodeURI吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
