Actually, /^\.{1,2}$/ and /^(?:%2E){1,2}$/i will not survive browser's URL constructor, and always disappear.
varu1newURL(`/${encodeURIComponent(param)}`,'https://.')u2=newURL('https://.');u2.pathname=`/${encodeURIComponent(param)}`// There are both not always `/:param`// and if you replace `encodeURIComponent` with your favorite encoder, it usually not makes a difference.
req.query, req.body, or even URL#search seem to have no restrictions, even if you encode it with only encodeURIComponent.
For conformance to RFC 3986, single and double dot segments are recognized as relative path and resolved as such. What other meaning do you want to give them? What's your worry?
What is the meaning you want to preserve?
app.get('/:param')
Actually,
/^\.{1,2}$/
and/^(?:%2E){1,2}$/i
will not survive browser's URL constructor, and always disappear.req.query
,req.body
, or evenURL#search
seem to have no restrictions, even if you encode it with onlyencodeURIComponent
.Yeah, that's conforming to RFC 3986 Section 5.2
But as I said,
None if these helps.
For conformance to RFC 3986, single and double dot segments are recognized as relative path and resolved as such. What other meaning do you want to give them? What's your worry?
NVM. As long as dot is prefixed (perhaps with
~
as it will never be URI-encoded), it seems to work.