Escape a string for transportation in a URL

Updated . Posted . Visible to the public. Repeats.

To safely transport an arbitrary string within a URL, you need to percent-encode Show archive.org snapshot characters that have a particular meaning in URLs, like & or =.

If you are using Rails URL helpers like movies_path(:query => ARBITRARY_STRING_HERE), Rails will take care of the encoding for you. If you are building URLs manually, you need to follow this guide.

Ruby

In Ruby, use CGI.escape:

# ✅ good
CGI.escape('foo=foo&bar=bar')
=> "foo%3Dfoo%26bar%3Dbar"

Do not ever use URI.encode or its alias URI.escape, which keeps control characters like & or = unescaped:

# ❌ bad
URI.encode('foo=foo&bar=bar')
=> "foo=foo&bar=bar"

Javascript

In Javascript, use encodeURIComponent:

// ✅ good
encodeURIComponent('foo=foo&bar=bar')
=> "foo%3Dfoo%26bar%3Dbar"

Do not ever use encodeURI, which keeps control characters like & or = unescaped:

// ❌ bad
encodeURI('foo=foo&bar=bar')
=> "foo=foo&bar=bar"
Profile picture of Henning Koch
Henning Koch
makandra.de
Say thanks16
Last edit
Michael Leimstädtner
License
Source code in this card is licensed under the MIT License.
Posted by Henning Koch to makandra dev (2015-09-24 12:53)
This website uses short-lived cookies to improve usability.
or learn more