对于友好的 URL 使用冒号`:` 安全吗? [英] Is a colon `:` safe for friendly-URL use?

问题描述

我们正在设计一个 URL 系统，它将应用程序部分指定为由斜杠分隔的单词.具体来说，这是在 GWT 中，因此 URL 的相关部分将在哈希中(将由客户端的控制器层解释):

We are designing a URL system that will specify application sections as words separated by slashes. Specifically, this is in GWT, so the relevant parts of the URL will be in the hash (which will be interpreted by a controller layer on the client-side):

http://site/gwturl#section1/section2

某些部分可能需要额外的属性，我们想用 : 指定这些属性，以便 URL 的部分部分是明确的.代码将首先在 / 上拆分，然后在 : 上拆分，如下所示:

Some sections may need additional attributes, which we'd like to specify with a :, so that the section parts of the URL are unambiguous. The code would split first on /, then on :, like this:

http://site/gwturl#user:45/comments

当然，我们这样做是为了 url 友好，所以我们想确保这些具有特殊含义的字符都不会被浏览器或任何其他系统进行 url 编码，并以像这样的网址:

Of course, we are doing this for url-friendliness, so we'd like to make sure that none of these characters which will hold special meaning will be url-encoded by browsers, or any other system, and end up with a url like this:

http://site/gwturl#user%3A45/comments <--- BAD

以这种方式使用冒号对于浏览器、书签系统，甚至 Javascript 或 Java 代码是否安全(我的意思是不会被自动编码)?

Is using the colon in this way safe (by which I mean won't be automatically encoded) for browsers, bookmarking systems, even Javascript or Java code?

推荐答案

我最近 写了一个 URL 编码器，所以这对我来说很新鲜.

I recently wrote a URL encoder, so this is pretty fresh in my mind.

http://site/gwturl#user:45/comments

片段部分中的所有字符(user:45/comments) 对于 RFC 3986 URI 是完全合法的.

All the characters in the fragment part (user:45/comments) are perfectly legal for RFC 3986 URIs.

ABNF的相关部分:

fragment      = *( pchar / "/" / "?" )
pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"
unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
pct-encoded   = "%" HEXDIG HEXDIG
sub-delims    = "!" / "$" / "&" / "'" / "(" / ")"
                 / "*" / "+" / "," / ";" / "="

除了这些限制之外，片段部分除了您的应用程序给它的结构之外没有定义的结构.方案，http，只是说你不把这部分发送到服务器.

Apart from these restrictions, the fragment part has no defined structure beyond the one your application gives it. The scheme, http, only says that you don't send this part to the server.

天啊！

尽管我对 URI 规范断言，irreputable 在 他指出HTML 4 规范限制了元素名称/标识符.

Despite my assertions about the URI spec, irreputable provides the correct answer when he points out that the HTML 4 spec restricts element names/identifiers.

注意标识符规则是在 HTML 5 中变化.URI 限制仍然适用(在撰写本文时，围绕 HTML 5 使用 URI 存在一些未解决的问题).

Note that identifier rules are changing in HTML 5. URI restrictions will still apply (at time of writing, there are some unresolved issues around HTML 5's use of URIs).

这篇关于对于友好的 URL 使用冒号`:` 安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！