How do I protect from over-encoding the path or query params?

如何防止过度编码路径或查询参数？

You cannot "protect from over-encoding". You either encode, or you do not. You should always know, for any given string, whether it is encoded or not. You should only encode strings which are not yet encoded, and you should never encode strings which are already encoded.

您不能“防止过度编码”。您要么编码，要么不编码。对于任何给定的字符串，您应该始终知道它是否已编码。您应该只对尚未编码的字符串进行编码，并且永远不要对已经编码的字符串进行编码。

So is this string encoded or not?

那么这个字符串是否编码？

%3Fref%3Dsomething%26term%3D{keyword}

It seems to me like this is bad input: clearly this is not encodedbecause it contains invalid characters ('{' and '}'). Yet it also seems not to be an unencoded string, because it contains '%xx' sequences. So it's partly-encoded. There is no programmatic "solution" once a string is in this form -- you simply need to avoid getting a string into such a form in the first place. You may be able to construct an algorithm which "fixes" this string, by carefully looking for parts looking like a "%" followed by two hex digits, and leaving them alone. But this will break on subtle cases. Consider an unencoded string "42%23", which is supposed to be a literal representation of the mathematical expression "42 mod 23". When I put this into a URI, I expect it to encode as "42%2523" so it decodes as "42%23", but the above algorithm will break and encode it as "42%23" which will then decode as "42#". So there is no way to fix the above string. Encoding "%3F" to "%253F" is exactly what a URI encoder should be doing.

在我看来这是错误的输入：显然这不是编码因为它包含无效字符（'{' 和 '}'）。然而它似乎也不是一个未编码的字符串，因为它包含 '%xx' 序列。所以它是部分编码的。一旦字符串采用这种形式，就没有程序化的“解决方案”——您只需要首先避免将字符串变成这种形式。您可以构建一个算法来“修复”这个字符串，方法是仔细寻找看起来像“%”后跟两个十六进制数字的部分，然后不理会它们。但这会在微妙的情况下中断。考虑一个未编码的字符串“42%23”，它应该是数学表达式“42 mod 23”的文字表示。当我把它放到一个 URI 中时，我希望它编码为“42%2523”，所以它解码为“42%23”，但是上面的算法会破坏并将其编码为“42%23”，然后将其解码为“42#”。所以没有办法修复上面的字符串。将“%3F”编码为“%253F”正是 URI 编码器应该做的事情。

Note: Having said this, browsers often allow you to get away with typing bad characters into URIs and they automatically encode them. That's not very robust so it shouldn't be used unless you are trying to be very forgiving of user input. In that case, you can do a "best effort" by first decodingthe URI and then re-encoding it. In this case, if I wanted to type "42%23" I would have to manually type in "42%2523".

注意：话虽如此，浏览器通常允许您避免在 URI 中输入错误字符，它们会自动对它们进行编码。这不是很健壮，因此除非您试图对用户输入非常宽容，否则不应使用它。在这种情况下，您可以通过首先解码URI 然后重新编码来“尽力而为” 。在这种情况下，如果我想输入“42%23”，我将不得不手动输入“42%2523”。

As for question 2:

至于问题2：

This however causes the last param to be encoded as well

然而，这会导致最后一个参数也被编码

Similarly, this is exactly what you want. If a URI appears as a parameter inside another URI, it shouldbe percent-encoded. Otherwise, how can you tell where one URI finishes and the other continues? I believe the above URI is actually valid (since ':', '/', '&' and '=' are reserved characters, not forbidden, and therefore they are allowed as long as they do not create ambiguity). But it is much safer to have a URI-inside-a-URI escaped.

同样，这正是您想要的。如果一个 URI 作为参数出现在另一个 URI 中，则它应该是百分比编码的。否则，你怎么知道一个 URI 在哪里结束，另一个在哪里继续？我相信上面的 URI 实际上是有效的（因为 ':'、'/'、'&' 和 '=' 是保留字符，不是禁止的，因此只要它们不引起歧义，它们就被允许）。但转义 URI-inside-a-URI 安全得多。

I really don't know, but you can try to first decode it, so the %3Fwill gets back what is was, and then encode it back.

我真的不知道，但是您可以尝试先对其进行解码，以便%3F将其恢复原状，然后再对其进行编码。

So:

所以：

String decoded = URLDecoder.decode(url, "UTF-8");
url = URLEncoder.encode(decoded, "UTF-8");

The correct way to encode an unencoded URL string is via URI.toASCIIString().

对未编码的 URL 字符串进行编码的正确方法是通过 URI.toASCIIString()。

Of course it is up to you to decide whether the URL is already encoded or not.

当然，由您决定 URL 是否已经被编码。

Have you tried using the URLEncoder?

您是否尝试过使用 URLEncoder？

    URLEncoder.encode(URLString, "UTF-8")

Besides that, your only option is going to encode each URL that is being used as a paramater separately, and then manually building the URL. This is a pretty tricky case.

除此之外，您唯一的选择是对每个用作参数的 URL 分别进行编码，然后手动构建 URL。这是一个相当棘手的案例。