如何在GET上阻止浏览器从url编码表单值 [英] How can I stop the browser from url-encoding form values on GET
问题描述
我有一个包含 method =get
的表单。在表单中,我需要传递一个CSS文件的URL,但它编码为 http%3A%2F%2Fwww ...
等。
有一种方法可以在打破文件时停止URL的编码。
感谢
背景
这看起来比人们想象的更加微妙。对于任何URL,它是URI标准的特定形式,某些字符是特殊的。特殊字符包括:
(方案分隔符)和 /
(路径或层次结构分隔符),这里是完整的列表来自 RFC-2396 的保留符号:
< blockquote>
reserved =; | /| ? | :| @| &| =| +|
$| ,
它与安全无关,更多的只是遵循一个标准:在任何URI,URL或URN。当您需要将它们用作路径或查询字符串(GET请求为您创建查询字符串)时,您需要转义它们。转义的简短版本是:以UTF-8字节为十六进制,并在它们前面加上%
符号。在保留字符的情况下,它始终是UTF-8中的单字节字符,因此转义为两个十六进制数字。
解决方案路径
回到您的问题。你没有提到你使用什么语言。但任何与互联网工作的语言都有一种编码或解码URL的方式。一些有帮助函数来解码整个URL,但通常你最好将它分成一个名称/值对,然后解码。
注意:最好始终解码查询值,这是因为当人们输入在值中,他们不知道该值是否保留,浏览器会为您编码。
如果您需要在网页内解码,而不是在网页上进行解码,则可能会导致安全隐患。在服务器端,你将需要JavaScript来完成这项工作。请查看此网页查找/解码网址,或使用Google查找其他网址。
I have a form with method="get"
. In the form I need to pass the URL of a CSS file but it is encoding it to http%3A%2F%2Fwww...
etc.
Is there a way to stop the encoding of the URL as it is breaking the file.
Thanks
Background
It's a bit more subtle than one might think at first sight. For any URL, which is a specific form of the URI standard, certain characters are special. Among the special characters are :
(scheme separator) and /
(path or hierarchy separator), here's the full list of reserved symbols from RFC-2396:
reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | "$" | ","
It has little to do with security, much more with simply following a standard: these symbols mean something special in any URI, URL or URN. When you need to use them as part of a path or a querystring (the GET request creates a query string for you), you need to escape them. The short version of escaping is: take the UTF-8 bytes as hexadecimal and precede them with a %
sign. In the case of the reserved characters, that's always a single-byte character in UTF-8 and thus escaped as two hex digits.
Path to a solution
Back to your problem. You didn't mention what language you were using. But any language that works with the internet has a way of encoding or decoding URLs. Some have helper functions to decode an entire URL, but normally you are better of splitting it into a name/value pairs and then decoding it. This will give you the absolute URL-path you need.
Note: it is best to always decode query values, simply because when people type in a value, they won't know whether that value is reserved, and the browser will encode it for you. Not doing so poses a security risk.
EDIT: When you need to decode within a page, not on the server side, you're going to need JavaScript to do the job. Have a look at this page for en/decoding URLs, or use Google to find many others.
这篇关于如何在GET上阻止浏览器从url编码表单值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!