R – Why does URLEncodedFormat() in CFML encodes valid URL characters

coldfusionurlencode

What are the reasons behind URLEncodedFormat() escaping valid URL characters?

valid characters:

- _ . ! ~ * " ( )

The CF8 Doc said, "[URLEncodedFormat() escapes] non-alphanumeric characters with equivalent hexadecimal escape sequences." However, why escape valid URL characters?

Best Solution

They are valid, but it seems pretty normal to me that if you ask a programming language to url encode a string that it converts all non alpha numeric chars to the hex equivalent.

ASP's Server.URLEncode() does the same and php urlencode() does too except for - and _. Also, in javascript, the encodeURIComponent() function will encode all non alpha numeric chars to hex equivalents.

This is a good idea anyway to encode all non alpha numeric characters when using user input for forming server requests to prevent anything unexpected from happening.

Related Solutions

Html – how to encode href attribute in HTML

Construct a URL as normal. Follow the rules for constructing URLs. Encode data you put into it.

Then construct HTML as normal. Follow the rules for constructing HTML. Encode data as you put it into it.

i.e. Do both (but in the right order).

They aren't mutually exclusive, so there is no contradiction.

For example (this is a simplified example that assumes data in $_GET is correct and exists, don't do that in the real world):

$search_term = $_GET['q'];
$page = $_GET['page'];
$next_page = $page + 1;
$next_page_url = 'http://example.com/search?q=' . urlencode($search_term) . '&page=' . urlencode($next_page);
$html = '<a href="' . htmlspecialchars($next_page_url) . '">link text</a>';

Best Solution

Related Solutions

Html – how to encode href attribute in HTML

Related Question