. (dot) has no real encoder / decoder. Only sanitizers.

As . is potentially dangerous on the backend, both for URL and filenames, there are indeed sanitizers, like this one.

However, there is no standardized encoder / decoder to preserve meaning / uniqueness for URL and filenames. Why is that?

decodeURIComponent, escape or even (s) => { el.innerText = s; return el.innerHTML } all wouldn't change .

Edit:

The fastest and simplest way to escape this is simply '~' + s (and decode with p.replace(/^~/, '')).

Comments

[Yufan Lou]

What is the meaning you want to preserve?

[Pacharapol Withayasakpunt]

app.get('/:param')

Actually, /^\.{1,2}$/ and /^(?:%2E){1,2}$/i will not survive browser's URL constructor, and always disappear.

var u1 new URL(`/${encodeURIComponent(param)}`, 'https://.')
u2 = new URL('https://.'); u2.pathname = `/${encodeURIComponent(param)}`

// There are both not always `/:param`
// and if you replace `encodeURIComponent` with your favorite encoder, it usually not makes a difference.

req.query, req.body, or even URL#search seem to have no restrictions, even if you encode it with only encodeURIComponent.

[Yufan Lou]

Yeah, that's conforming to RFC 3986 Section 5.2

[Pacharapol Withayasakpunt]

But as I said,

for (const fn of [yaml.safeDump, rison.encode]) {
  var u1 new URL(`/${encodeURIComponent(fn(param))}`, 'https://.')
  var u2 = new URL('https://.')
  u2.pathname = `/${encodeURIComponent(fn(param))}`

  console.log(u1.pathname)
  console.log(u2.pathname)
}

None if these helps.

[Yufan Lou]

For conformance to RFC 3986, single and double dot segments are recognized as relative path and resolved as such. What other meaning do you want to give them? What's your worry?

[Pacharapol Withayasakpunt]

NVM. As long as dot is prefixed (perhaps with ~ as it will never be URI-encoded), it seems to work.