Re: URL escaping
luotonen@ptsun00.cern.ch (Ari Luotonen)
From: luotonen@ptsun00.cern.ch (Ari Luotonen)
Date: Thu, 18 Nov 93 10:56:36 +0100
Message-id: <9311180956.AA01568@ptsun03.cern.ch>
To: www-talk@nxoc01.cern.ch
Subject: Re: URL escaping
> ...
> For "http:", it's different. The browser doesn't do the decoding
> (except for some /#? stuff) and depends on the HTTP server to
> give it 7-bit ascii encoded URLs. As long as it spits out
> 7-bit ascii, the encoding is completely up to the server.
The unescaping that we've been arguing about is %xx to ASCII.
Escaping is done _by_the_client_ if keywords/form fields contain
characters that are illegal (or otherwise would cause confusion)
in URLs, %xx escapes are used. Clearly the escaping scheme has
to be well known between browser and server, because this escaping
is done in the part of the URL that is composed _by_the_client_
(so it is bound to be non-opaque to it).
These will be unescaped either by server or the script; both of
them know how to do it. The problem was that there are other
reserved characters than just +&= and if they are left unparsed
by server, but %xx are still unescaped, the result may
contain characters that have a special meaning in URL, but
the script cannot tell anymore if those stand for their special
meaning, or if they were escaped in the first place.
-- Cheers, Ari --