What's the difference between URI.escape and CGI.escape and which one should I use?
uri。escape和cgi。escape的区别是什么?
5 个解决方案
#1
106
There were some small differences, but the important point is that URI.escape has been deprecated in Ruby 1.9.2... so use CGI::escape or ERB::Util.url_encode.
有一些细微的差异,但重要的是URI.escape在Ruby 1.9.2中被弃用了……使用CGI: escape或ERB::Util.url_encode。
There is a long discussion on ruby-core for those interested which also mentions WEBrick::HTTPUtils.escape and WEBrick::HTTPUtils.escape_form.
对ruby-core有很长一段讨论,其中也提到了WEBrick:: httputil .escape .escape和WEBrick:: httputil .escape_form。
#2
174
What's the difference between an axe and a sword and which one I should use? Well it depends on what you need to do.
斧头和剑的区别是什么?我该用哪一把?这取决于你需要做什么。
URI.escape was supposed to encode a string (URL) into, so called, "Percent-encoding".
escape应该将字符串(URL)编码为所谓的“百分比编码”。
CGI::escape is coming from the CGI spec, which describes how data should be encoded/decode between web server and application.
escape来自CGI规范,它描述了如何在web服务器和应用程序之间编码/解码数据。
Now, let's say that you need to escape a URI in your app. It is a more specific use case. For that, the Ruby community used URI.escape for years. The problem with URI.escape was that it could not handle the RFC-3896 spec.
现在,假设您需要在应用程序中转义URI,这是一个更具体的用例。为此,Ruby社区使用了多年的URI.escape。escape的问题是它无法处理rc -3896规范。
URI.escape 'http://google.com/foo?bar=at#anchor&title=My Blog & Your Blog'
# => "http://google.com/foo?bar=at%23anchor&title=My%20Blog%20&%20Your%20Blog"
URI.escape was marked as obsolete:
URI.escape被标记为过时:
Moreover current URI.encode is simple gsub. But I think it should split a URI to components, then escape each components, and finally join them.
此外当前URI。编码简单gsub。但是我认为它应该将URI拆分为组件,然后转义每个组件,最后加入它们。
So current URI.encode is considered harmful and deprecated. This will be removed or change behavior drastically.
所以当前URI。编码被认为是有害的和不赞成的。这将被删除或彻底改变行为。
What is the replacement at this time?
现在替换的是什么?
As I said above, current URI.encode is wrong on spec level. So we won't provide the exact replacement. The replacement will vary by its use case.
如上所述,当前URI。编码在规范级别上是错误的。所以我们不会提供确切的替换。替换将根据它的用例而变化。
https://bugs.ruby-lang.org/issues/4167
https://bugs.ruby-lang.org/issues/4167
Unfortunately there is not a single word about it in the docs, the only way to know about it is to check the source, or run the script with warnings in verbose level (-wW2) (or use some google-fu).
不幸的是,在文档中没有一个单独的单词,唯一知道它的方法是检查源代码,或者在详细级别(-wW2)中使用警告运行脚本(或者使用一些google-fu)。
Some proposed to use CGI::Escape for query parameters, because you couldn't escape an entire URI:
一些人建议使用CGI::Escape作为查询参数,因为您无法转义整个URI:
CGI::escape 'http://google.com/foo?bar=at#anchor&title=My Blog & Your Blog'
# => "http%3A%2F%2Fgoogle.com%2Ffoo%3Fbar%3Dat%23anchor%26title%3DMy+Blog+%26+Your+Blog"
CGI::escape should be used for query parameters only, but the results will be, again, against the spec. Actually the most common use-case is escaping form data, such as while sending an application/x-www-form-urlencoded POST request.
转义应该只用于查询参数,但是结果仍然是违反规范的。实际上最常见的用例是转义表单数据,例如在发送应用程序/x-www-form- urlencoding POST请求时。
Also mentioned WEBrick::HTTPUtils.escape is not much of improvement (again it's just a simple gsub, which is, IMO, even a worse option than URI.escape):
还提到了WEBrick:: httputil .escape并没有多大的改进(它只是一个简单的gsub,在我看来,甚至比URI.escape更糟糕):
WEBrick::HTTPUtils.escape 'http://google.com/foo?bar=at#anchor&title=My Blog & Your Blog'
# => "http://google.com/foo?bar=at%23anchor&title=My%20Blog%20&%20Your%20Blog"
The closest to the spec seems to be the Addressable gem:
最接近规范的似乎是可寻址的宝石:
require 'addressable/uri'
Addressable::URI.escape 'http://google.com/foo?bar=at#anchor&title=My Blog & Your Blog'
# => "http://google.com/foo?bar=at#anchor&title=My%20Blog%20&%20Your%20Blog"
Notice, that unlike all previous options, Addressable doesn't escape #, and this is the expected behaviour. you want to keep the # hash in the URI path but not in the URI query.
注意,与前面的所有选项不同,Addressable不能转义为#,这是预期的行为。您希望将#散列保存在URI路径中,而不是在URI查询中。
The only problem left is that we didn't escape our query parameters properly, which brings us to the conclusion: we should not use a single method for the entire URI, because there is no perfect solution (so far). As you see & was not escaped from "My Blog & Your Blog". We need to use a different form of escaping for query params, where users can put different characters that have a special meaning in URLs. Enter URL encode. URL encode should be used for every "suspicious" query value, similar to what ERB::Util.url_encode does:
剩下的唯一问题是我们没有正确地转义查询参数,这就得出了结论:我们不应该为整个URI使用单一方法,因为目前还没有完美的解决方案(到目前为止)。正如你所看到的,并没有从“我的博客和你的博客”中逃脱。我们需要为查询解析使用不同的转义形式,用户可以在url中放置具有特殊意义的不同字符。输入URL编码。URL编码应该用于每个“可疑”查询值,类似于ERB::Util。url_encode:
ERB::Util.url_encode "My Blod & Your Blog"
# => "My%20Blod%20%26%20Your%20Blog""
It's cool but we've already required Addressable:
很酷,但我们已经要求可寻址:
uri = Addressable::URI.parse("http://www.go.com/foo")
# => #<Addressable::URI:0x186feb0 URI:http://www.go.com/foo>
uri.query_values = {title: "My Blog & Your Blog"}
uri.normalize.to_s
# => "http://www.go.com/foo?title=My%20Blog%20%26%20Your%20Blog"
Conclusion:
结论:
- Do not use
URI.escapeor similar - 不要使用uri。escape或类似的
- Use
CGI::escapeif you only need form escape - 使用CGI::转义,如果你只需要形式转义
- If you need to work with URIs, use Addressable, it offers URL encoding, form encoding and normalizes URLs.
- 如果需要使用uri,请使用可寻址,它提供URL编码、表单编码和URL规范化。
- If it is a Rails project, check out "How do I URL-escape a string in Rails?"
- 如果是Rails项目,请检查“如何在Rails中使用url转义字符串?”
#3
9
URI.escape takes a second parameter that lets you mark what's unsafe. See APIDock:
escape使用第二个参数,可以标记不安全的内容。看到APIDock:
http://apidock.com/ruby/CGI/escape/class
http://apidock.com/ruby/CGI/escape/class
http://apidock.com/ruby/URI/Escape/escape
http://apidock.com/ruby/URI/Escape/escape
#4
6
CGI::escape is good for escaping text segment so they can be used in url query parameters (strings after '?'). For example if you want to have parameter containing slash characters in the url, you CGI::escape that string first and then insert it in the url.
escape对转义文本段有好处,因此可以在url查询参数中使用(字符串后面的字符串)。例如,如果您想要在url中包含斜杠字符的参数,您的CGI::先转义该字符串,然后将其插入url中。
However in Rails you probably won't be using it directly. Usually you use hash.to_param, which will use CGI::escape under the hood.
但是在Rails中,您可能不会直接使用它。通常你使用散列。to_param,它将使用CGI::escape在引擎盖下面。
URI::escape is good for escaping a url which was not escaped properly. For example some websites output wrong/unescaped url in their anchor tag. If your program use these urls to fetch more resources, OpenURI will complain that the urls are invalid. You need to URI::escape these to make it a valid url. So it is used to escape the whole URI string to make it proper. In my word URI::unescape makes a url readable by human, and URI::escape makes it valid to browsers.
URI: escape是用来转义一个没有正确转义的url的。例如,一些网站在锚标记中输出错误/未转义的url。如果您的程序使用这些url获取更多的资源,OpenURI将会抱怨url无效。您需要URI::escape,以使其成为一个有效的url。因此,它用于转义整个URI字符串以使其正确。在我的word URI:::unescape使url可读,而URI::escape使它对浏览器有效。
These are my layman's term and feel free to correct those.
这些都是我的门外汉术语,可以随意修改。
#5
1
The difference is that URI.escape is not working...
不同之处在于,逃脱不起作用……
CGI.escape"/en/test?asd=qwe"
=> "%2Fen%2Ftest%3Fasd%3Dqwe"
URI.escape"/en/test?asd=qwe"
=> "/en/test?asd=qwe"
#1
106
There were some small differences, but the important point is that URI.escape has been deprecated in Ruby 1.9.2... so use CGI::escape or ERB::Util.url_encode.
有一些细微的差异,但重要的是URI.escape在Ruby 1.9.2中被弃用了……使用CGI: escape或ERB::Util.url_encode。
There is a long discussion on ruby-core for those interested which also mentions WEBrick::HTTPUtils.escape and WEBrick::HTTPUtils.escape_form.
对ruby-core有很长一段讨论,其中也提到了WEBrick:: httputil .escape .escape和WEBrick:: httputil .escape_form。
#2
174
What's the difference between an axe and a sword and which one I should use? Well it depends on what you need to do.
斧头和剑的区别是什么?我该用哪一把?这取决于你需要做什么。
URI.escape was supposed to encode a string (URL) into, so called, "Percent-encoding".
escape应该将字符串(URL)编码为所谓的“百分比编码”。
CGI::escape is coming from the CGI spec, which describes how data should be encoded/decode between web server and application.
escape来自CGI规范,它描述了如何在web服务器和应用程序之间编码/解码数据。
Now, let's say that you need to escape a URI in your app. It is a more specific use case. For that, the Ruby community used URI.escape for years. The problem with URI.escape was that it could not handle the RFC-3896 spec.
现在,假设您需要在应用程序中转义URI,这是一个更具体的用例。为此,Ruby社区使用了多年的URI.escape。escape的问题是它无法处理rc -3896规范。
URI.escape 'http://google.com/foo?bar=at#anchor&title=My Blog & Your Blog'
# => "http://google.com/foo?bar=at%23anchor&title=My%20Blog%20&%20Your%20Blog"
URI.escape was marked as obsolete:
URI.escape被标记为过时:
Moreover current URI.encode is simple gsub. But I think it should split a URI to components, then escape each components, and finally join them.
此外当前URI。编码简单gsub。但是我认为它应该将URI拆分为组件,然后转义每个组件,最后加入它们。
So current URI.encode is considered harmful and deprecated. This will be removed or change behavior drastically.
所以当前URI。编码被认为是有害的和不赞成的。这将被删除或彻底改变行为。
What is the replacement at this time?
现在替换的是什么?
As I said above, current URI.encode is wrong on spec level. So we won't provide the exact replacement. The replacement will vary by its use case.
如上所述,当前URI。编码在规范级别上是错误的。所以我们不会提供确切的替换。替换将根据它的用例而变化。
https://bugs.ruby-lang.org/issues/4167
https://bugs.ruby-lang.org/issues/4167
Unfortunately there is not a single word about it in the docs, the only way to know about it is to check the source, or run the script with warnings in verbose level (-wW2) (or use some google-fu).
不幸的是,在文档中没有一个单独的单词,唯一知道它的方法是检查源代码,或者在详细级别(-wW2)中使用警告运行脚本(或者使用一些google-fu)。
Some proposed to use CGI::Escape for query parameters, because you couldn't escape an entire URI:
一些人建议使用CGI::Escape作为查询参数,因为您无法转义整个URI:
CGI::escape 'http://google.com/foo?bar=at#anchor&title=My Blog & Your Blog'
# => "http%3A%2F%2Fgoogle.com%2Ffoo%3Fbar%3Dat%23anchor%26title%3DMy+Blog+%26+Your+Blog"
CGI::escape should be used for query parameters only, but the results will be, again, against the spec. Actually the most common use-case is escaping form data, such as while sending an application/x-www-form-urlencoded POST request.
转义应该只用于查询参数,但是结果仍然是违反规范的。实际上最常见的用例是转义表单数据,例如在发送应用程序/x-www-form- urlencoding POST请求时。
Also mentioned WEBrick::HTTPUtils.escape is not much of improvement (again it's just a simple gsub, which is, IMO, even a worse option than URI.escape):
还提到了WEBrick:: httputil .escape并没有多大的改进(它只是一个简单的gsub,在我看来,甚至比URI.escape更糟糕):
WEBrick::HTTPUtils.escape 'http://google.com/foo?bar=at#anchor&title=My Blog & Your Blog'
# => "http://google.com/foo?bar=at%23anchor&title=My%20Blog%20&%20Your%20Blog"
The closest to the spec seems to be the Addressable gem:
最接近规范的似乎是可寻址的宝石:
require 'addressable/uri'
Addressable::URI.escape 'http://google.com/foo?bar=at#anchor&title=My Blog & Your Blog'
# => "http://google.com/foo?bar=at#anchor&title=My%20Blog%20&%20Your%20Blog"
Notice, that unlike all previous options, Addressable doesn't escape #, and this is the expected behaviour. you want to keep the # hash in the URI path but not in the URI query.
注意,与前面的所有选项不同,Addressable不能转义为#,这是预期的行为。您希望将#散列保存在URI路径中,而不是在URI查询中。
The only problem left is that we didn't escape our query parameters properly, which brings us to the conclusion: we should not use a single method for the entire URI, because there is no perfect solution (so far). As you see & was not escaped from "My Blog & Your Blog". We need to use a different form of escaping for query params, where users can put different characters that have a special meaning in URLs. Enter URL encode. URL encode should be used for every "suspicious" query value, similar to what ERB::Util.url_encode does:
剩下的唯一问题是我们没有正确地转义查询参数,这就得出了结论:我们不应该为整个URI使用单一方法,因为目前还没有完美的解决方案(到目前为止)。正如你所看到的,并没有从“我的博客和你的博客”中逃脱。我们需要为查询解析使用不同的转义形式,用户可以在url中放置具有特殊意义的不同字符。输入URL编码。URL编码应该用于每个“可疑”查询值,类似于ERB::Util。url_encode:
ERB::Util.url_encode "My Blod & Your Blog"
# => "My%20Blod%20%26%20Your%20Blog""
It's cool but we've already required Addressable:
很酷,但我们已经要求可寻址:
uri = Addressable::URI.parse("http://www.go.com/foo")
# => #<Addressable::URI:0x186feb0 URI:http://www.go.com/foo>
uri.query_values = {title: "My Blog & Your Blog"}
uri.normalize.to_s
# => "http://www.go.com/foo?title=My%20Blog%20%26%20Your%20Blog"
Conclusion:
结论:
- Do not use
URI.escapeor similar - 不要使用uri。escape或类似的
- Use
CGI::escapeif you only need form escape - 使用CGI::转义,如果你只需要形式转义
- If you need to work with URIs, use Addressable, it offers URL encoding, form encoding and normalizes URLs.
- 如果需要使用uri,请使用可寻址,它提供URL编码、表单编码和URL规范化。
- If it is a Rails project, check out "How do I URL-escape a string in Rails?"
- 如果是Rails项目,请检查“如何在Rails中使用url转义字符串?”
#3
9
URI.escape takes a second parameter that lets you mark what's unsafe. See APIDock:
escape使用第二个参数,可以标记不安全的内容。看到APIDock:
http://apidock.com/ruby/CGI/escape/class
http://apidock.com/ruby/CGI/escape/class
http://apidock.com/ruby/URI/Escape/escape
http://apidock.com/ruby/URI/Escape/escape
#4
6
CGI::escape is good for escaping text segment so they can be used in url query parameters (strings after '?'). For example if you want to have parameter containing slash characters in the url, you CGI::escape that string first and then insert it in the url.
escape对转义文本段有好处,因此可以在url查询参数中使用(字符串后面的字符串)。例如,如果您想要在url中包含斜杠字符的参数,您的CGI::先转义该字符串,然后将其插入url中。
However in Rails you probably won't be using it directly. Usually you use hash.to_param, which will use CGI::escape under the hood.
但是在Rails中,您可能不会直接使用它。通常你使用散列。to_param,它将使用CGI::escape在引擎盖下面。
URI::escape is good for escaping a url which was not escaped properly. For example some websites output wrong/unescaped url in their anchor tag. If your program use these urls to fetch more resources, OpenURI will complain that the urls are invalid. You need to URI::escape these to make it a valid url. So it is used to escape the whole URI string to make it proper. In my word URI::unescape makes a url readable by human, and URI::escape makes it valid to browsers.
URI: escape是用来转义一个没有正确转义的url的。例如,一些网站在锚标记中输出错误/未转义的url。如果您的程序使用这些url获取更多的资源,OpenURI将会抱怨url无效。您需要URI::escape,以使其成为一个有效的url。因此,它用于转义整个URI字符串以使其正确。在我的word URI:::unescape使url可读,而URI::escape使它对浏览器有效。
These are my layman's term and feel free to correct those.
这些都是我的门外汉术语,可以随意修改。
#5
1
The difference is that URI.escape is not working...
不同之处在于,逃脱不起作用……
CGI.escape"/en/test?asd=qwe"
=> "%2Fen%2Ftest%3Fasd%3Dqwe"
URI.escape"/en/test?asd=qwe"
=> "/en/test?asd=qwe"