Alexey Verkhovsky
2005-Mar-29 04:47 UTC
What is the right way to escape non-URL characters in URLs?
Dear list, I''d like to ask a stupid question. Some value (of a model object) can be an element of URL, and it can have some non-URL characters in it. So, when a Rails application: (a) gets the value of a new entity from a form (b) writes a name into the HTML document (c) gets it from routing (as an action parameter) (d) gives it to routing ( :controller => foo, :action => bar, :name => foobar.name ) (e) reads/writes it to the database which conversions are applied implicitly, and which conversion must be applied explicitly by the application? -- Best regards, Alexey Verkhovsky Ruby Forum: http://ruby-forum.org (moderator) RForum: http://rforum.andreas-s.net (co-author) Instiki: http://instiki.org (maintainer)
Jeremy Kemper
2005-Mar-29 06:24 UTC
Re: What is the right way to escape non-URL characters in URLs?
Alexey Verkhovsky wrote:> Dear list, > > I''d like to ask a stupid question. Some value (of a model object) can be > an element of URL, and it can have some non-URL characters in it.There are two issues: encoding URLs (eg, '' '' -> ''%20'' or ''+'') and escaping HTML entities (''>'' -> ''>''). URL encoding/decoding is handled consistently and transparently. You must do your own HTML escaping in your views with <%=h ''<test string>'' %> (h is an alias for html_escape.)> (a) gets the value of a new entity from a formThis is a GET request with query params or a POST request with parameters in body. The Ruby CGI library unescapes these parameters for us when it parses the request.> (b) writes a name into the HTML documentURL encoding is not relevant. You''ll want to escape HTML entities unless you''re loading a raw value into, say, a textarea. Field: <%=h @model.field %>> (c) gets it from routing (as an action parameter)Routing parameters are pulled from the URL and are thus URL encoded. The routing library unescapes when it assigns them to parameters.> (d) gives it to routing ( :controller => foo, :action => bar, :name => > foobar.name )The values are URL encoded when the URL is constructed.> (e) reads/writes it to the databaseNeither URL encoding nor HTML escaping are relevant.> which conversions are applied implicitly, and which conversion must be > applied explicitly by the application?The only explicit conversion is doing HTML entity escaping in your views. Don''t worry about URL encoding unless you''re manually mucking with URLs. Action Pack does the right thing. jeremy