I have a form with method="get". In the form I need to pass the URL of a CSS file but it is encoding it to http%3A%2F%2Fwww... etc.
Is there a way to stop the encoding of the URL as it is breaking the file.
Thanks
Background
It's a bit more subtle than one might think at first sight. For any URL, which is a specific form of the URI standard, certain characters are special. Among the special characters are `:` (scheme separator) and `/` (path or hierarchy separator), here's the full list of reserved symbols from [RFC-2396][1]:
reserved = ";" | "/" | "?" | ":" | "#" | "&" | "=" | "+" |
"$" | ","
It has little to do with security, much more with simply following a standard: these symbols mean something special in any URI, URL or URN. When you need to use them as part of a path or a querystring (the GET request creates a query string for you), you need to escape them. The short version of escaping is: take the UTF-8 bytes as hexadecimal and precede them with a % sign. In the case of the reserved characters, that's always a single-byte character in UTF-8 and thus escaped as two hex digits.
Path to a solution
Back to your problem. You didn't mention what language you were using. But any language that works with the internet has a way of encoding or decoding URLs. Some have helper functions to decode an entire URL, but normally you are better of splitting it into a name/value pairs and then decoding it. This will give you the absolute URL-path you need.
Note: it is best to always decode query values, simply because when people type in a value, they won't know whether that value is reserved, and the browser will encode it for you. Not doing so poses a security risk.
EDIT: When you need to decode within a page, not on the server side, you're going to need JavaScript to do the job. Have a look at this page for en/decoding URLs, or use Google to find many others.
No, you can't. The encoding is required to make a valid URL.
Instead, decode the value in your receiving code (what platform are you on anyways, URL decoding is usually done automatically for you)
If you used XMLHttpRequest you can send text without encoding.
You can use JavaScript to do that, but remember to set content-type to text/plain.
content-type: text/plain
No for security reason you can't do this. You have to collect and decode it at the receiving end.
When you use FORM and GET method and some special chars, you will end up with browser encoding the resulted query.
For newer browsers that support changing the URL address without refreshing the page (IE10+), is possible to decode the URL query string and update the address.
I'm using a script like this:
<script type="text/javascript">
if (history.pushState) { //IE10+
var newurl = window.location.protocol + "//" + window.location.host + window.location.pathname + decodeURIComponent(window.location.search);
window.history.pushState({path:newurl},'',newurl);
}
</script>
This will transform a http://example.com/page.html?path=foo%2Fbar back to http://example.com/page.html?path=foo/bar
You can decode the url using javascript Function: decodeURIComponent(Url );
Because Browser encodes the Url for special characters . For example : https://www.example.com is encoded to %20https%3A%2F%2Fwww.example.com. Here the special characters are replaced by % and its ASCI value.
Related
Using the STRING_ESCAPE function found here I am escaping certain columns with string values so that they fit in a JSON format. However when it is applied to URLs it behaves, in my opinion, strangely.
SELECT STRING_ESCAPE('https://www.website.com/page', 'json')
returns https:\/\/www.website.com\/page.
I can understand that indeed according to this post forward slashes are allowed, not required in JSON and therefore they are included when using this function. But if you create an HTML tag with this value (https:\/\/www.website.com\/page) the link no longer works as, my browser at least, is trying to surf to https://www.website.com//page.
Since I don't know if my original string contains \/ I can't just use REPLACE(STRING_ESCAPE([column], 'json'), '\/', '/') to solve this.
Is there an option to disable the escaping of forward slashes? Or any other clever solution to this problem?
I'm not aware of any option to disable escaping a forward slash, but if you're looking for ideas for a workaround you could replace forward slashes with some dummy value, then do the escaping, then restore the forward slashes by replacing the dummy values with the forward slashes.
Thinking something like this:
DECLARE #replace_value VARCHAR(36) = NEWID();
SELECT
STRING_ESCAPE('https://www.website.com/page', 'json'),
REPLACE(STRING_ESCAPE(REPLACE('https://www.website.com/page', '/', #replace_value), 'json'), #replace_value, '/');
Not the prettiest, but might get the job done.
Preamble: The original problem is attempting to JSON-escaped value that is not later consumed as JSON as URLs are not JSON strings. However, this answer does not focus on that incorrect domain usage and/or failure to decode the JSON value before the usage in HTML.
Rather, this answer corrects this misbelief:
Since I don't know if my original string contains [\/] I can't just use a replace to solve this.
As long as STRING_ESCAPE is used, it is a valid approach to perform the replacement after using STRING_ESCAPE, as shown in the original question:
REPLACE(STRING_ESCAPE([column], 'json'), '\/', '/')
This is because STRING_ESCAPE escapes every / and \, meaning that any \/ in the original source is also escaped as \\\/. (It would only be problematic if \ was not also escaped.)
Consider these examples, which result in a valid JSON string content without the escaped solidus, that demonstrate the correctness of the simple REPLACE approach.
INPUT STRING_ESCAPE REPLACE(.., '\/', '/')
hello\world hello\\world hello\\world
hello/world hello\/world hello/world
hello\/workd hello\\\/world hello\\/world
\\/\/\\ \\\\\/\\\/\\\\ \\\\/\\/\\\\
The values above represent the actual string content.
When trying to download a video on vevo by inspecting element, I discovered that that was impossible even though the content wasn't DRM protected. The video tag refers to a file that I can't trace or find using ctrl+I (Firefix Dev Edition), while it is still playing in the browser. Instead of /folder/video it says data:folder/video. How does this data: work?
A quick Google search and our friend wikipedia says:
The data URI scheme is a uniform resource identifier (URI) scheme that provides a way to include data in-line in web pages as if they were external resources. It is a form of file literal or here document. This technique allows normally separate elements such as images and style sheets to be fetched in a single Hypertext Transfer Protocol (HTTP) request, which may be more efficient than multiple HTTP requests.
Syntax
The scheme followed by a colon (data:).
An optional media type. The media type part may include one or more parameters, in the format attribute=value, separated by semicolons. A common media type parameter is charset, specifying the character set of the media type, where the value is from the IANA list of character set names. If one is not specified, the media type of the data URI is assumed to be text/plain;charset=US-ASCII.
An optional base64 extension base64, separated from the preceding part by a semicolon. When present, this indicates that the data content of the URI is binary data, encoded in ASCII format using the Base64 scheme for binary-to-text encoding. The base64 extension is distinguished from any media type parameters by virtue of not having a =value component and by coming after any media type parameters.
The data, separated from the preceding part by a comma. The data is a sequence of zero or more octets represented as characters. The comma is required in a data URI, even when the data part has zero length. The characters permitted within the data part include ASCII upper and lowercase letters, digits, and many ASCII punctuation and special characters. Note that this may include characters, such as colon, semicolon, and comma which are delimiters in the URI components preceding the data part. Other octets must be percent-encoded. If the data is Base64-encoded, then the data part may contain only valid Base64 characters. Note that Base64-encoded data: URIs use the standard Base64 character set (with + and / as characters 62 and 63) rather than the so-called "URL-safe Base64" character set
I am trying to use a *.resw file in my UWP app to store localized strings. I am loading these strings through ResourceLoader.GetString() and am placing them in a MessageDialog for presentation to the user, but no matter what I do the return value of GetString() is an empty (zero-length) string. I am following the SDK sample for localization, but am not getting the expected response.
The string I am trying to use is of the format InvalidAssemblyDialog.Message.
As it turns out this problem was due to my using dots in the keys for my strings in the *.resw file. Dots are reserved, and my usage of them was causing name-resolution errors. In the case of the example above, I changed it to InvalidAssemblyDialog_Message.
Here the documentation says "." characters should be replaced with "/" when resources are queried from code.
If a resource name is segmented (it contains "." characters), then replace dots with forward slash ("/") characters in the resource name. Property identifiers, for example, contain dots; so you'd need to do this substition in order to load one of those from code.
I have a index.html with a which sends a text to a PHP code. This PHP sends it again by POST (curl) to a Node.js server, inserted in a JSON message (utf8-encoded)
//Node.js server file (app.js) -- gets the json and shows it in a <script> to save it in client JS
render(index, {json:{string:"mystring"}})
//Template to render (index.ejs)
var data = <%=JSON.stringify(json)%>;
So that I can pass those variables in the JSON to data. JSON is way bigger than here, I wrote only the part which creates a bug : the string contained here makes an "INvalid character" JS bug. What should I do ? Which encoding/decoding/escaping should I use ?
I have utf-8 everywhere, as all my other strings work, even with german or arabic characters. In this particular case, this is the "mystring" below which breaks the app :
If I remove the characters in the red circles It works.
Here is the string as it is in the JSON i receive :
"Otto\nTheater-, Konzert- und Gpb\n\u2028\u2028Rhoasse\u00dfe 20\u2028\n51065 K\u00f6ln\n\nTelefon: 0000-000000-0\u2028\nTelefax: 0000-000000\n\nE-Mail: address#mail.com\u2028"
Because it is a user-entered text, I must handle this kind of characters. I don't have access to the PHP part of the code, only to the nodeJS and client JS. How can I find and remove/convert those chars in JS ?
<%- JSON.stringify(data).replace(/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g, "\\n") %>;
I ended up replacing invalid unicode characters (which are valid for JSON but not in JS code) with line breaks. This solves the problem
JSON is commonly thought to be a subset of JavaScript, but it isn't quite. Due to an unfortunate oversight, the raw characters U+2028 and U+2029 are permitted in JSON string literals, but not in JavaScript string literals. In JavaScript, they are interpreted as newlines and so having one in a string literal is a syntax error.
Consequently this:
var data = <%=JSON.stringify(json)%>;
isn't safe. You can make it so by manually replacing them with string-literal-escaped versions:
JSON.stringify(json).replace('\u2028', '\\u2028').replace('\u2029', '\\u2029')
Typically it's best to avoid this kind of problem, and keep code and data strictly separated, by dropping the JSON data into an HTML data- attribute. It can then be read out of the DOM from the client-side script and passed through JSON.parse. Then the only kind of escaping you have to worry about is normal HTML-escaping, which hopefully your templating language does by default.
The other characters in your answer are actually okay for JS string literals, except for the control characters, which JSON also escapes.
It may well make sense to remove some of these characters anyway, as an input filtering step. It's unusual and almost always undesirable to have cruft like U+2028 in your data. You could consider filtering out the characters unsuitable for use in markup which include U+2028/9 and other bad things like bidi overrides that can mess up your page rendering.
I have a variable like say A= drug & medicare $12/$15.
I need to assign it to a text box, but only 'drug' is posted the server. The rest of the data gets truncated.
this.textbox.text= request.querystring["A"].tostring();
The following is not valid for a="foo&bar$12":
http://example.com?a=foo&bar$12
The & symbol is a reserved character, it seperates query string variables. You will need to percent encode a value before sending them to that page.
Also & is a reserved character in HTML/XML. I suggest reading up on percent encoding and html encoding.
I believe you have problems with HTML entities. You need to read up on HTML escaping in your tool of choice. & cannot stand in HTML, since it begins an entity sequence - it needs to be replaced with &. Without specifying at least which toolchain you're using (as per #Richard's comment), we can't really suggest the best way to do it.
EDIT: Now that I reread your question, it seems A is not a variable but a query parameter :) Reading comprehension fail. Anyway, in this case a similar problem exists: & is not a valid character for a query parameter, and it needs URL escaping. Again, how exactly to do it is in the documentation for your toolchain, but in essence & will need to be replaced by %26. Plus sign is also not permitted (or rather it has another meaning); others are tolerated (but there are nicer ways to write them).
That looks more or less like ASP.NET pseudocode, so I'm going to diagnose your problem as the query string needing to be URL encoded. Key/value pairs in the query string are separated by an ampersand (&), and ASP.NET (along with other web platforms) automatically parse out the key value pairs for you.
In this case, the ampersand terminates the value of the "A=..." key/value pair. The problem will be solved if you can URL encode the link that brings the user into your page. If actually using ASP.NET, you can use the HttpUtility.UrlEncode() method for that:
string myValue = Server.UrlEncode("drug & medicare $12/$15");
You'll end up with this querystring instead: A=drug%20%26%20medicare%20%2412%2F%2415