Re: URL escaping

Ari Luotonen (
Thu, 18 Nov 93 10:56:36 +0100

> ...
> For "http:", it's different. The browser doesn't do the decoding
> (except for some /#? stuff) and depends on the HTTP server to
> give it 7-bit ascii encoded URLs. As long as it spits out
> 7-bit ascii, the encoding is completely up to the server.

The unescaping that we've been arguing about is %xx to ASCII.
Escaping is done _by_the_client_ if keywords/form fields contain
characters that are illegal (or otherwise would cause confusion)
in URLs, %xx escapes are used. Clearly the escaping scheme has
to be well known between browser and server, because this escaping
is done in the part of the URL that is composed _by_the_client_
(so it is bound to be non-opaque to it).

These will be unescaped either by server or the script; both of
them know how to do it. The problem was that there are other
reserved characters than just +&= and if they are left unparsed
by server, but %xx are still unescaped, the result may
contain characters that have a special meaning in URL, but
the script cannot tell anymore if those stand for their special
meaning, or if they were escaped in the first place.

-- Cheers, Ari --