Three encoding functions in JS: escape,encodeuri,encodeuricomponent

Source: Internet
Author: User
Tags rfc truncated

1. Eacape (): This method does not encode ASCII letters and numbers, nor does it encode the following ASCII punctuation marks: * @-_ +. / 。 All other characters will be replaced by escape sequences. In other cases the Escape,encodeuri,encodeuricomponent encoding results are the same.

Escape output%u**** format when encoding Unicode values other than 0-255

You can use Unescape () to decode an escape () encoded string.

ECMAScript v3 against using this method, the application uses decodeURI () and decodeuricomponent () to replace it.

2. encodeURI and encodeURIComponent

Both encodeURI and encodeuricomponent are functions defined in the ECMA-262 standard, and all languages that are compatible with this standard (such as JavaScript, ActionScript) implement both functions. They are all global functions used to encode URI (RFC-2396) strings, but they are handled differently from the usage scenario. To explain their differences, we first need to understand the classification of the characters in the URI in RFC-2396:
1> reserved characters (reserved characters): Such characters are reserved key characters in URIs that are used to split portions of the URI . These characters are: ";" | "/" | "?" | ":" | " @" | "&" | "=" | "+" | "$" | ","
2>mark character (Mark characters): This type of character is specifically defined in RFC-2396, but is not specifically intended, and may be related to other RFC standards. These characters are: "-" | "_" | "." | "!" | "~" | "*" | "'" | " (" | ")"
3> Basic character (Alphanum characters): This type of character is the body part of the URI, which includes all uppercase letters, lowercase characters, and numbers.


After introducing the above three classes of strings, it is very easy to explain the differences between the encodeURI and the encodeURIComponent functions:


encodeURI: This function escapes encoding (escaping) of all non-basic, mark, and reserved characters in the passed-in string. all characters that need to be escaped are converted to one, two, or three-byte hexadecimal escape character (%xx) according to the UTF-8 encoding. For example, the word spaces "" translates into "%20". Under this encoding pattern, ASCII characters that need to be encoded are replaced with one byte escape character, the characters between \u0080 and \U007FF are replaced by two-byte escape characters, and the other 16 are Unicode characters replaced with three-byte escape characters.


encodeuricomponent: There is only one difference between this function and encodeURI, which is the same escape encoding for reserved characters . This way the parameters and values in the URL are not truncated by special characters such as #. For example: Http://localhost:8080/xss/XssServlet?username=A&T plastic, the URL, the code behind the scenes:

String username = request.getparameter ("username");

The username value obtained is a, not the a&t plastic we want. Because Username=a&t plastic, which contains the reserved character &, and is not encoded, the value of username is truncated. So the right thing to do is to encode it: encodeuricomponent ("a&t plastic") = = a%26t%20plastic, and then change the connection above to:

Http://localhost:8080/xss/XssServlet?username=A%26T%20Plastic, the background can get the correct value: username==a&t plastic.

because the value of username contains the reserved character of the URI, it needs to be encoded .

For example, the character ":" is replaced by the escaped character "%3a"
There are two different functions above because we have two different coding requirements for URIs when we write the JS code. The encodeURI can be used to encode a complete URI string. Instead, encodeURIComponent can encode a portion of the URI so that the part can contain some URI reserved characters . This is very useful in our daily programming. For example, the following URI string:
Http://www.mysite.com/send-to-friend.aspx?url=http://www.mysite.com/product.html
In this URI string. The Send-to-friend.aspx page creates an HTML-formatted message content that contains a link that is the URL value in the URI string above. Obviously the above URL value is a part of the URI that contains the URI reserved key character. We must call encodeURIComponent to encode it for use, otherwise the URI string above will be considered an invalid URI by the browser. The correct URI should be as follows:
Http://www.mysite.com/send-to-friend.aspx?url=http%3A%2F%2Fwww.mysite.com%2Fproduct.html

The most used should be encodeuricomponent, which is to convert the Chinese, Korean and other special characters into the utf-8 format URL encoding, so if you want to pass parameters to the background to use encodeURIComponent Background decoding is required for Utf-8 support (the encoding method in form form is the same as the current page encoding )

Escape does not encode characters with 69: *,+,-,.,/,@,_,0-9,a-z,a-z

encodeURI does not encode 82 characters:!,#,$,&, ', (,), *,+,,,-,.,/,:,;,=,?,@,_,~,0-9,a-z,a-z

encodeURIComponent does not encode 71 characters:!, ', (,), *,-,.,_,~,0-9,a-z,a-z

Example:

Alert (encodeURIComponent ("a&t plastic"));    // a%26t%20plasticalert (Escape ("a&t plastic"));                // a%26t%20plasticalert (encodeURI ("a&t plastic"));            // a&t%20plasticalert (Escape ("a&t plastic"));                // A%26T%20PLASTIC%UFFFD%UFFFD

We see that encodeURI has no encoded URI reserved character &, ' Medium ' is encoded as %UFFFD%UFFFD

encodeURIComponent encodes the reserved character &.

URL encoding is often exploited in XSS attacks to bypass the XSS filter on the server, disguising a compromised URL, and letting an unknown user click .

Reference:

Http://www.jb51.net/article/22880.htm

Http://www.cnblogs.com/goody9807/archive/2009/01/16/1376913.html

Three encoding functions in JS: escape,encodeuri,encodeuricomponent

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.