DEV Community

Discussion on: . (dot) has no real encoder / decoder. Only sanitizers.

Collapse
 
louy2 profile image
Yufan Lou

What is the meaning you want to preserve?

Collapse
 
patarapolw profile image
Pacharapol Withayasakpunt • Edited

app.get('/:param')

Actually, /^\.{1,2}$/ and /^(?:%2E){1,2}$/i will not survive browser's URL constructor, and always disappear.

var u1 new URL(`/${encodeURIComponent(param)}`, 'https://.')
u2 = new URL('https://.'); u2.pathname = `/${encodeURIComponent(param)}`

// There are both not always `/:param`
// and if you replace `encodeURIComponent` with your favorite encoder, it usually not makes a difference.

req.query, req.body, or even URL#search seem to have no restrictions, even if you encode it with only encodeURIComponent.

Collapse
 
louy2 profile image
Yufan Lou

Yeah, that's conforming to RFC 3986 Section 5.2

Thread Thread
 
patarapolw profile image
Pacharapol Withayasakpunt • Edited

But as I said,

for (const fn of [yaml.safeDump, rison.encode]) {
  var u1 new URL(`/${encodeURIComponent(fn(param))}`, 'https://.')
  var u2 = new URL('https://.')
  u2.pathname = `/${encodeURIComponent(fn(param))}`

  console.log(u1.pathname)
  console.log(u2.pathname)
}

None if these helps.

Thread Thread
 
louy2 profile image
Yufan Lou

For conformance to RFC 3986, single and double dot segments are recognized as relative path and resolved as such. What other meaning do you want to give them? What's your worry?

Thread Thread
 
patarapolw profile image
Pacharapol Withayasakpunt • Edited

NVM. As long as dot is prefixed (perhaps with ~ as it will never be URI-encoded), it seems to work.