[Typo3-dev] FYI: JS escape, encodeURIComponent and PHP urlencode - IMPORTANT!
Martin T. Kutschker
Martin.no5pam.Kutschker at blackbox.n0spam.net
Fri Aug 27 18:09:58 CEST 2004
Hi!
It seems we have some problems because of some misunderstandings on what
certain JS functions do. And what's more, how they behave on different
browsers.
In the "good old days" escape() used to take the binary string and
replaced the binary values of "non-letters" as %xx. It didn't care about
charsets at all.
THIS IS NOT TRUE FOR *IE* ANYMORE!
MS's browser translates the string into Unicode before doing the %
escaping. Whether the string is in iso-8859-1, iso-8859-2 or UTF-8, the
escaped string is treaded as Unicode codepoints (%xx and %uxxxx)! This
means an JS escape() cannot be reversed by PHP urldecode() and vice versa.
*Older* Mozillas (< 1.5) OTOH behave like IE did before. The charset
is transparent for this function and so it's still compatible with
urlencode(). Since 1.5 Mozilla acts like IE and is now also in sync with
the ECMA-262 ver3 standard.
The problem is that the generating or consuming PHP code must know
about the client software. So it can generate or interpret the correct
encoding. Or all strings must be encoded/decoded either server or client
side. Eg. output a SCRIPT section where all strings are in vars and do
the encoding with escape(), rather then echoing the strings inline (with
PHP $vars). But this leads to clumsy code and is certainly error prone.
And as for encodeURIComponent, well, this works the same on "all"
browsers (I did test with IE and Mozilla, don't know about Opera,
Konqueror, ...):
The string in question is translated from the local charset into UTF-8
and then it is escaped in the usual style. This is compatible with
urlencode() if you keep in mind that you have to do a charset
conversion, if you're not using utf-8!
The problem is that older browsers might not support
encodeURIComponent. And again we'll end up with browser sniffing, either
serverr or cleint side :-(
So, this are the facts. Let's see if we can find some sound solution.
I'd prefer to avoid browser sniffing, but I fear we'll need it.
Docs:
escape()
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/jscript7/html/jsmthescape.asp
encodeURIComponent()
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/jscript7/html/jsmthencodeuricomponent.asp
Masi
More information about the TYPO3-dev
mailing list