javascript 双引号的 URL 编码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23037129/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
URL encoding of the double quote
提问by webcoding
I know that the double quote character is not allowed in the url and it is encoded as %22and this is done with utf-8 encoding. But what happens if i build a browser which does not perform url encoding and queries with the double quotes itself as it is permitted in the utf-8 encoding scheme. for example: www.google.com/"a". Moreover what would happen to the url parsing script in the server when it encounters a double quote?
我知道双引号字符没有在网址允许和它的编码形式%22,这与做UTF-8编码。但是,如果我构建的浏览器不执行 url 编码并使用双引号本身进行查询,因为它在 utf-8 编码方案中是允许的,会发生什么。例如:www.google.com/"a"。而且服务器中的url解析脚本遇到双引号会怎样呢?
回答by Paul Melekhov
Since you're passing invalid URI to the server, the server may respond with HTTP 400 Bad Requeststatus, but may not. Different servers have different behavior on this. For example, the Apache 2.4 servers responds with 403 Forbidden. It seems they recognize it as attempt of SQL-injection and suppress it immediately. The nginx servers responds with 404 Not Found.
由于您将无效的 URI 传递给服务器,服务器可能会以HTTP 400 Bad Request状态响应,但可能不会。不同的服务器对此有不同的行为。例如,Apache 2.4 服务器以403 Forbidden. 似乎他们认为这是 SQL 注入的尝试并立即将其压制。nginx 服务器以404 Not Found.
You don't need to build a browser which doesn't perform URL encoding to check. You can perform this query from simple telnet program which goes as a part of most operating systems (but may not be installed by default). If it's installed, you just need to execute telnet www.google.com 80in terminal window, paste following 2 lines:
您不需要构建一个不执行 URL 编码来检查的浏览器。您可以从简单的 telnet 程序中执行此查询,该程序是大多数操作系统的一部分(但默认情况下可能未安装)。如果已安装,您只需要telnet www.google.com 80在终端窗口中执行,粘贴以下两行:
GET /"a" HTTP/1.1
Host: www.google.com
and press Enter twice. You will get response with 404 Not Found. If you do the same with stackoverflow.com the response will be 400 Bad Request.
并按 Enter 两次。你会得到回应404 Not Found。如果您对 stackoverflow.com 执行相同操作,则响应将为400 Bad Request.
