哪些字符使URL无效?

这些url是否有效?

example.com/file [/] . html http://example.com/file [/] . html


当前回答

在这个例子中,“[”和“]”是“不明智的”字符,但仍然是合法的。如果[]中的'/'是文件名的一部分,那么它是无效的,因为'/'是保留的,应该正确编码:

http://example.com/file[/].html

为了澄清并直接解决上面的问题,有几种类型的字符会导致url和uri出现问题。

There are some characters that are disallowed and should never appear in a URL/URI, reserved characters (described below), and other characters that may cause problems in some cases, but are marked as "unwise" or "unsafe". Explanations for why the characters are restricted are clearly spelled out in RFC-1738 (URLs) and RFC-2396 (URIs). Note the newer RFC-3986 (update to RFC-1738) defines the construction of what characters are allowed in a given context but the older spec offers a simpler and more general description of which characters are not allowed with the following rules.

URI语法中不允许的US-ASCII字符:

   control     = <US-ASCII coded characters 00-1F and 7F hexadecimal>
   space       = <US-ASCII coded character 20 hexadecimal>
   delims      = "<" | ">" | "#" | "%" | <">

字符“#”被排除在外,因为它用于将URI与片段标识符分隔开来。百分比字符“%”被排除,因为它用于转义字符的编码。换句话说,“#”和“%”是保留字符,必须在特定的上下文中使用。

不明智的字符列表是允许的,但可能会导致问题:

   unwise      = "{" | "}" | "|" | "\" | "^" | "[" | "]" | "`"

在查询组件中保留的字符和/或在URI/URL中具有特殊含义的字符:

  reserved    = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | "$" | ","

上面的“保留”语法类指的是在URI中允许的字符,但在通用URI语法的特定组件中可能不允许这些字符。“保留”集中的字符并非在所有上下文中都是保留的。例如,主机名可以包含一个可选的用户名,所以它可以是ftp://user@hostname/,其中“@”字符具有特殊含义。

下面是一个URL的例子,它有无效和不明智的字符(例如:'$', '[', ']'),并且应该正确编码:

http://mw1.google.com/mw-earth-vectordb/kml-samples/gp/seattle/gigapxl/$[level]/r$[y]_c$[x].jpg

uri和url的一些字符限制依赖于编程语言。例如,'|' (0x7C)字符虽然在URI规范中仅被标记为“不明智的”,但它会在Java java.net.URI构造函数中抛出URISyntaxException异常,因此像http://api.google.com/q?exp=a|b这样的URL是不允许的,如果使用Java的URI对象实例,则必须将其编码为http://api.google.com/q?exp=a%7Cb。

其他回答

我正在实现一个旧的HTTP(0.9, 1.0, 1.1)请求和响应读取器/写入器。请求URI是最有问题的地方。

你不能只使用RFC 1738、2396或3986。有许多旧的HTTP客户端和服务器允许更多的字符。因此,我根据意外发布的web服务器访问日志进行了研究:“GET URI HTTP/1.0”200。

我发现在uri中经常使用以下非标准字符:

\ { } < > | ` ^ "

这些字符在RFC 1738中被描述为不安全的。

如果你想兼容所有旧的HTTP客户端和服务器,你必须允许这些字符出现在请求URI中。

请在oghttp-request-collector中阅读更多关于这项研究的信息。

通常,RFC 3986定义的uri(参见章节2:字符)可以包含以下84个字符中的任意一个:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~:/?#[]@!$&'()*+,;=

注意,这个列表没有说明这些字符可能出现在URI中的哪个位置。

任何其他字符都需要使用百分比编码(%hh)进行编码。URI的每个部分对于百分比编码的单词需要表示哪些字符有进一步的限制。

来源(需要时加强调):

Unsafe: Characters can be unsafe for a number of reasons. The space character is unsafe because significant spaces may disappear and insignificant spaces may be introduced when URLs are transcribed or typeset or subjected to the treatment of word-processing programs. The characters "<" and ">" are unsafe because they are used as the delimiters around URLs in free text; the quote mark (""") is used to delimit URLs in some systems. The character "#" is unsafe and should always be encoded because it is used in World Wide Web and in other systems to delimit a URL from a fragment/anchor identifier that might follow it. The character "%" is unsafe because it is used for encodings of other characters. Other characters are unsafe because gateways and other transport agents are known to sometimes modify such characters. These characters are "{", "}", "|", "", "^", "~", "[", "]", and "`". All unsafe characters must always be encoded within a URL. For example, the character "#" must be encoded within URLs even in systems that do not normally deal with fragment or anchor identifiers, so that if the URL is copied into another system that does use them, it will not be necessary to change the URL encoding. Source

一些Unicode字符范围是有效的HTML5,尽管使用它们可能仍然不是一个好主意。

例如,href文档说http://www.w3.org/TR/html5/links.html#attr-hyperlink-href:

a和area元素上的href属性必须具有一个有效的URL值,该值可能被空格包围。

那么“有效URL”的定义指向http://url.spec.whatwg.org/,它说它的目标是:

将RFC 3986和RFC 3987与当代实现对齐,并在此过程中淘汰它们。

该文档将URL代码点定义为:

ASCII alphanumeric, "!", "$", "&", "'", "(", ")", "*", "+", ",", "-", ".", "/", ":", ";", "=", "?", "@", "_", "~", and code points in the ranges U+00A0 to U+D7FF, U+E000 to U+FDCF, U+FDF0 to U+FFFD, U+10000 to U+1FFFD, U+20000 to U+2FFFD, U+30000 to U+3FFFD, U+40000 to U+4FFFD, U+50000 to U+5FFFD, U+60000 to U+6FFFD, U+70000 to U+7FFFD, U+80000 to U+8FFFD, U+90000 to U+9FFFD, U+A0000 to U+AFFFD, U+B0000 to U+BFFFD, U+C0000 to U+CFFFD, U+D0000 to U+DFFFD, U+E1000 to U+EFFFD, U+F0000 to U+FFFFD, U+100000 to U+10FFFD.

然后在语句中使用术语“URL代码点”:

如果c不是URL代码点,也不是“%”,解析错误。

在解析算法的几个部分,包括模式,权限,相对路径,查询和片段状态:所以基本上是整个URL。

同样,验证器http://validator.w3.org/会通过“你好”这样的url,而不会通过像空格“a b”这样的字符的url

当然,正如Stephen C所提到的,这不仅与字符有关,还与上下文有关:你必须理解整个算法。但由于类“URL代码点”用于算法的关键点,它提供了一个很好的想法,你可以使用或不使用。

请参见:url中的Unicode字符

在这个例子中,“[”和“]”是“不明智的”字符,但仍然是合法的。如果[]中的'/'是文件名的一部分,那么它是无效的,因为'/'是保留的,应该正确编码:

http://example.com/file[/].html

为了澄清并直接解决上面的问题,有几种类型的字符会导致url和uri出现问题。

There are some characters that are disallowed and should never appear in a URL/URI, reserved characters (described below), and other characters that may cause problems in some cases, but are marked as "unwise" or "unsafe". Explanations for why the characters are restricted are clearly spelled out in RFC-1738 (URLs) and RFC-2396 (URIs). Note the newer RFC-3986 (update to RFC-1738) defines the construction of what characters are allowed in a given context but the older spec offers a simpler and more general description of which characters are not allowed with the following rules.

URI语法中不允许的US-ASCII字符:

   control     = <US-ASCII coded characters 00-1F and 7F hexadecimal>
   space       = <US-ASCII coded character 20 hexadecimal>
   delims      = "<" | ">" | "#" | "%" | <">

字符“#”被排除在外,因为它用于将URI与片段标识符分隔开来。百分比字符“%”被排除,因为它用于转义字符的编码。换句话说,“#”和“%”是保留字符,必须在特定的上下文中使用。

不明智的字符列表是允许的,但可能会导致问题:

   unwise      = "{" | "}" | "|" | "\" | "^" | "[" | "]" | "`"

在查询组件中保留的字符和/或在URI/URL中具有特殊含义的字符:

  reserved    = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | "$" | ","

上面的“保留”语法类指的是在URI中允许的字符,但在通用URI语法的特定组件中可能不允许这些字符。“保留”集中的字符并非在所有上下文中都是保留的。例如,主机名可以包含一个可选的用户名,所以它可以是ftp://user@hostname/,其中“@”字符具有特殊含义。

下面是一个URL的例子,它有无效和不明智的字符(例如:'$', '[', ']'),并且应该正确编码:

http://mw1.google.com/mw-earth-vectordb/kml-samples/gp/seattle/gigapxl/$[level]/r$[y]_c$[x].jpg

uri和url的一些字符限制依赖于编程语言。例如,'|' (0x7C)字符虽然在URI规范中仅被标记为“不明智的”,但它会在Java java.net.URI构造函数中抛出URISyntaxException异常,因此像http://api.google.com/q?exp=a|b这样的URL是不允许的,如果使用Java的URI对象实例,则必须将其编码为http://api.google.com/q?exp=a%7Cb。