javascript - How to encode ".." for use in a URL path? - Stack Overflow

admin管理员组

文章数量:1312910

I'm trying to construct a URL with something like:

var myUrl = '/path/to/api/' + encodeURIComponent(str);

But if str is .. then your browser automatically lops off a path segment so that the URL bees /path/to which is not what I want.

I've tried encoding .. as %2E%2E but your browser still re-interprets it before the request is sent. Is there anything I can do to have path actually e through to my server as /path/to/api/..?

I'm trying to construct a URL with something like:

var myUrl = '/path/to/api/' + encodeURIComponent(str);

But if str is .. then your browser automatically lops off a path segment so that the URL bees /path/to which is not what I want.

I've tried encoding .. as %2E%2E but your browser still re-interprets it before the request is sent. Is there anything I can do to have path actually e through to my server as /path/to/api/..?

• javascript
• urlencode

Share Improve this question Follow edited Mar 11, 2016 at 18:24 Jeremy Banks 130k8888 gold badges358358 silver badges381381 bronze badges asked Mar 11, 2016 at 18:09 mpenmpen 283k281281 gold badges890890 silver badges1.3k1.3k bronze badges 13

• that seems really fragile - can you change the server? – Daniel A. White Commented Mar 11, 2016 at 18:11
• '../' is how you backup a directory. So it is being interpreted as you wrote it. Why do you need .. at the end of your file path? You might be better served to change the name if you don't want it to back up to /path/to – amflare Commented Mar 11, 2016 at 18:12
• 2 @Oriol Not from the string, from the request. Go ahead and try it, paste this in your address bar: http://stackoverflow./questions/35947065/.. and then try http://stackoverflow./questions/35947065/%2E%2E -- same thing. – mpen Commented Mar 11, 2016 at 18:17
• 1 @amflare I think he's pretty clear: he wants to take an arbitrary user-provided string and send it to the server as part of a URL, but the browser is rewriting certain forms if they're in the path. – Jeremy Banks Commented Mar 11, 2016 at 18:20
• 1 @JeremyBanks I get that, but I don't understand the insistence of using .. in all his examples. His code should work fine if you used something like 'test'. So clearly there is another layer here. Perhaps it's obvious and I'm just missing it. – amflare Commented Mar 11, 2016 at 18:24

 |  Show 8 more ments

3 Answers 3

Sorted by: Reset to default 8

I believe this is not supported because the behaviour would violate RFC 3986.

From Section 2.3. Unreserved Characters (emphasis mine):

Characters that are allowed in a URI but do not have a reserved purpose are called unreserved. These include uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde.

 unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"

URIs that differ in the replacement of an unreserved character with its corresponding percent-encoded US-ASCII octet are equivalent: they identify the same resource. However, URI parison implementations do not always perform normalization prior to parison (see Section 6). For consistency, percent-encoded octets in the ranges of ALPHA (%41-%5A and %61-%7A), DIGIT (%30-%39), hyphen (%2D), period (%2E), underscore (%5F), or tilde (%7E) should not be created by URI producers and, when found in a URI, should be decoded to their corresponding unreserved characters by URI normalizers.

From Section 6.2.2.3. Path Segment Normalization (emphasis mine):

The plete path segments "." and ".." are intended only for use within relative references (Section 4.1) and are removed as part of the reference resolution process (Section 5.2). However, some deployed implementations incorrectly assume that reference resolution is not necessary when the reference is already a URI and thus fail to remove dot-segments when they occur in non-relative paths. URI normalizers should remove dot-segments by applying the remove_dot_segments algorithm to the path, as described in Section 5.2.4.):

I've actually done similar by double encoding the text, then un-encoding it on the server back end. However, mine were query parameters, not part of the path.

PS. This is written on my phone, I'll add an example later.

Seeing as there's no solution, there's not much we can do but error:

export function encodeUriComponent(str) {
    if(str === '.' || str === '..') {
        throw new Error(`Cannot URI-encode "${str}" per RFC 3986 §6.2.2.3`)
    }
    return encodeURIComponent(str);
}

I feel that this is a better option than arbitrarily modifying the URL path which is exactly what I was trying to avoid by using encodeURIComponent.

本文标签： javascriptHow to encode quotquot for use in a URL pathStack Overflow