should encodeURI ever be used?

10
votes

Is there any valid use for javascript's encodeURI function?

As far as I can tell, when you are trying to make a HTTP request you should either have:

  • a complete URI
  • some fragment you want to put in a URI, which is either a unicode string or UTF-8 byte sequence

In the first case, obviously nothing needs to be done to request it. Note: if you actually want to pass it as a parameter (e.g ?url=http...) then you actually have an instance of the second case that happens to look like a URI.

In the second case, you should always convert a unicode string into UTF-8, and then call encodeURIComponent to escape all characters before adding it to a URI. (If you have a UTF-8 byte sequence instead of a unicode string you can skip the convert-to-utf8 step).

Assuming I havent missed anything, I can't see a valid use for encodeURI. If you use it, it's likely you've constructed an invalid URI and then attempted to "sanitize" it after the fact, which is simply not possible since you don't know which characters were intended literally, and which were intended to be escaped.

I have seen a lot of advice against using escape(), but don't see anybody discouraging encodeURI. Am I missing a valid use?

2
javascripturlencode
The "some fragment you want to put in a URI", I believe, can be called a "URI component". "In the second case, you should always convert a unicode string into UTF-8" -- not in JavaScript. encodeURIComponent will automatically convert the string into UTF-8 first (and decodeURIComponent will convert the UTF-8 octets back into Unicode characters). - mgiuca

2 Answers

12
votes

I have a blog post which answers this question in a lot of detail.

You should never use encodeURI to construct a URI programmatically, for the reasons you say -- you should always use encodeURIComponent on the individual components, and then compose them into a complete URI.

Where encodeURI is almost useful is in "cleaning" a URI, in accordance with Postel's Law ("Be liberal in what you accept, and conservative in what you send.") If someone gives you a complete URI, it may contain illegal characters, such as spaces, certain ASCII characters (such as double-quotes) and Unicode characters. encodeURI can be used to convert those illegal characters into legal percent-escaped sequences, without encoding delimiters. Similarly, decodeURI can be used to "pretty-print" a URI, showing percent-escaped sequences as technically-illegal bare characters.

For example, the URL:

http://example.com/admin/login?name=Helen Ødegård&gender=f

is illegal, but it is still completely unambiguous. encodeURI converts it into the valid URI:

http://example.com/admin/login?name=Helen%20%C3%98deg%C3%A5rd&gender=f

An example of an application that might want to do this sort of "URI cleaning" is a web browser. When you type a URL into the address bar, it should attempt to convert any illegal characters into percent-escapes, rather than just having an error. Software that processes URIs (e.g., an HTML scraper that wants to get all the URLs in hyperlinks on a page) may also want to apply this kind of cleaning in case any of the URLs are technically illegal.

Unfortunately, encodeURI has a critical flaw, which is that it escapes '%' characters, making it completely useless for URI cleaning (it will double-escape any URI that already had percent-escapes). I have therefore borrowed Mozilla's fixedEncodeURI function and improved it so that it correctly cleans URIs:

function fixedEncodeURI(str) {
    return encodeURI(str).replace(/%25/g, '%').replace(/%5B/g, '[').replace(/%5D/g, ']');
}

So you should always use encodeURIComponent to construct URIs internally. You should only never use encodeURI, but you can use my fixedEncodeURI to attempt to "clean up" URIs that have been supplied from an external source (usually as part of a user interface).

5
votes

encodeURI does not encode the following: , / ? : @ & = + $ # whereas encodeURIComponent does.

There are a myriad of reasons why you might want to use encodeURI over encodeURIComponent, such as assigning a URL as a variable value. You want to maintain the URL but encode paths, query string and hash values. Using encodeURIComponent would make the URL invalid.