为什么这个％2B字符串被urldecoded？ [英] Why is this %2B string being urldecoded?

问题描述

[这可能不是一个编程问题，但这是一个可能最好由程序员回答的难题。我首先在Pro网站管理员网站上尝试过，以压倒一切的沉默]

我们在我们的网站上有一个电子邮件地址验证过程。该网站首先生成一个适当的键作为字符串

  mykey 
  

然后将该密钥编码为一堆字节

 & $ DAC〜ʌ！ 
  

然后base64编码这串字节

  JiRkYWN + yoyIhIQ == 
  

由于这个关键作为要放在HTML电子邮件中的URL的查询字符串值给定，我们需要首先对其进行URLE编码，然后HTMLEncode结果，给我们（在示例中没有HTMLEncoding的影响，但是我不能麻烦重做示例）

  JiRkYWN％2ByoyIhIQ％3D％3D 
  pre> 
 
 
然后将其嵌入到作为电子邮件一部分发送的HTML中，如：
 点击< a href =http：// myapp / verify？key = JiRkYWN％2ByoyIhIQ％3D％3D> here< / a> ;. 
或粘贴< b> http：// myapp / verify？key = JiRkYWN％2ByoyIhIQ％3D％3D< / b>进入你的浏览器
  
当接收用户点击链接时，网站收到请求，提取查询字符串的值'key'参数，base64对其进行解码，解密，并根据站点逻辑进行适当的处​​理。
 
 
 
 报告用户的点击无效。一个这样的用户向我们发送了他发送的电子邮件，并且在检查时HTML被转换成（以上面的例子为例）
 点击< a href =http：// myapp / verify？key = JiRkYWN + yoyIhIQ％3D％3D> here< / a> 
或粘贴< b> http：// myapp / verify？key = JiRkYWN + yoyIhIQ％3D％3D< / b>进入你的浏览器
  
也就是说，％2B字符串 - 但没有其他百分比编码字符串 - 已经转换为一个好处。 （这绝对是让我们使用正确的值 - 我查看了适当的SMTP日志）。
  key = JiRkYWN％2ByoyIhIQ％3D％3D 
 key = JiRkYWN + yoyIhIQ％3D％3D 
  
所以我认为有几种可能性：
 
 
 
有一些我在做的事情是愚蠢的，我不能看到，或
 
 
 
 
某些邮件客户端将％2b字符串转换为加号，可能是为了应对人们错误的URLEncoding加号的问题
 
 
 
如果是1  - 是什么？在2  - 是否有一种标准的，已知的处理这种情况的方法？
 
 
 
非常感谢任何帮助
解决方案
问题在于这个步骤
 
 
检查HTML已经被转换（根据上面的例子）
 
 
 
 
 
 点击< a href =的 http：// MYAPP /验证键= JiRkYWN + yoyIhIQ％3D％3D？ >此处< / A> 
或粘贴< b> http：// myapp / verify？key = JiRkYWN + yoyIhIQ％3D％3D< / b>进入
您的浏览器。 
  
 
 
 
 
 
即，％2B字符串 - 但没有其他百分比编码
字符串 - 已被转换为加号
 
 
您在另一端的应用程序必须缺少一个转义。不管如果有一个％2B或一个+一个函数像perls uri_unescape返回一致的答案
  DB< 9>使用URI :: Escape; 
 DB< 10> x uri_unescape（JiRkYWN + yoyIhIQ％3D％3D）
 0'JiRkYWN + yoyIhIQ =='
 DB< 11> x uri_unescape（JiRkYWN％2ByoyIhIQ％3D％3D）
 0'JiRkYWN + yoyIhIQ =='
  
这是应该发生的事情我正在展示的是步骤。我在调试器中使用perl。步骤54将字符串编码为base64。步骤55显示如何将base64编码的字符串制成uri转义参数。步骤56和57是客户端应该做的解码。
 
 
 
一个可能的工作是确保您的base64密钥不包含任何加号！ 
  DB< 53> $ key =AB〜
 DB< 54> x encode_base64（$ key）
 0'QUJ + 
'
 DB< 55> x uri_escape（'QUJ +'）
 0'QUJ％2B'
 DB< 56> x uri_unescape（'QUJ％2B'）
 0'QUJ +'
 DB< 57> $ result = decode_base64（'QUJ +'）
 DB< 58> x $ result 
 0'AB〜'
  
 
[This may not be precisely a programming question, but it's  a puzzle that may best be answered by programmers. I tried it first on the Pro Webmasters site, to overwhelming silence]

We have an email address verification process on our website. The site first generates an appropriate key as a string
mykey
It then encodes that key as a bunch of bytes
&$dac~ʌ����!
It then base64 encodes that bunch of bytes
JiRkYWN+yoyIhIQ==
Since this key is going to be given as a querystring value of a URL that is to be placed in an HTML email, we need to first URLEncode it then HTMLEncode the result, giving us (there's no effect of HTMLEncoding in the example case, but I can't be bothered to rework the example)
JiRkYWN%2ByoyIhIQ%3D%3D
This is then embedded in HTML that is sent as part of an email, something like:
click <a href="http://myapp/verify?key=JiRkYWN%2ByoyIhIQ%3D%3D">here</a>. 
Or paste <b>http://myapp/verify?key=JiRkYWN%2ByoyIhIQ%3D%3D</b> into your browser.
When the receiving user clicks on the link, the site receives the request, extracts the value of the querystring 'key' parameter, base64 decodes it, decrypts it, and does the appropriate thing in terms of the site logic.

However on occasion we have users who report that their clicking is ineffective. One such user forwarded us the email he had been sent, and on inspection the HTML had been transformed into (to put it in terms of the example above)
click <a href="http://myapp/verify?key=JiRkYWN+yoyIhIQ%3D%3D">here</a>
Or paste <b>http://myapp/verify?key=JiRkYWN+yoyIhIQ%3D%3D</b> into your browser.
That is, the %2B string - but none of the other percentage encoded strings - had been converted into a plus. (It's definitely leaving us with the right values - I've looked at the appropriate SMTP logs).
key=JiRkYWN%2ByoyIhIQ%3D%3D
key=JiRkYWN+yoyIhIQ%3D%3D
So I think that there are a couple of possibilities:

There's something I'm doing that's stupid, that I can't see, or 
Some mail clients convert %2b strings to plus signs, perhaps to try to cope with the problem of people mistakenly URLEncoding plus signs 
In case of 1 - what is it? In case of 2 - is there a standard, known way of dealing with this kind of scenario?

Many thanks for any help
解决方案
The problem lies at this step

  
on inspection the HTML had been transformed into (to put it in terms of the example above)


click <a href="http://myapp/verify?key=JiRkYWN+yoyIhIQ%3D%3D">here</a>
Or paste <b>http://myapp/verify?key=JiRkYWN+yoyIhIQ%3D%3D</b> into
your browser.



  
That is, the %2B string - but none of the other percentage encoded
  strings - had been converted into a plus
Your application at "the other end" must be missing a step of unescaping.  Regardless of if there is a %2B or a + a function like perls uri_unescape returns consistent answers
DB<9> use URI::Escape;
DB<10> x uri_unescape("JiRkYWN+yoyIhIQ%3D%3D")
0  'JiRkYWN+yoyIhIQ=='
DB<11> x uri_unescape("JiRkYWN%2ByoyIhIQ%3D%3D")
0  'JiRkYWN+yoyIhIQ=='
Here is what should be happening.  All I'm showing are the steps.  I'm using perl in a debugger.  Step 54 encodes the string to base64.  Step 55 shows how the base64 encoded string could be made into a uri escaped parameter.  Steps 56 and 57 are what the client end should be doing to decode.

One possible work around is to ensure that your base64 "key" does not contain any plus signs!
  DB<53> $key="AB~"
  DB<54> x encode_base64($key)
0  'QUJ+
'
  DB<55> x uri_escape('QUJ+') 
0  'QUJ%2B'
  DB<56> x uri_unescape('QUJ%2B')
0  'QUJ+'
  DB<57> $result=decode_base64('QUJ+')
  DB<58> x $result
0  'AB~'


                        
这篇关于为什么这个％2B字符串被urldecoded？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！