HTTP headers can only transport US-ASCII characters safely

Posted About 1 year ago. Visible to the public. Repeats.

HTTP header values must only contain low-ASCII (7-bit) characters for safe transport. From RFC 7230 Show archive.org snapshot :

Historically, HTTP has allowed field content with text in the ISO-8859-1 charset [ISO-8859-1], supporting other charsets only through use of [RFC2047] encoding. In practice, most HTTP header field values use only a subset of the US-ASCII charset [USASCII]. Newly defined header fields SHOULD limit their field values to US-ASCII octets.

If you need to transport 8-bit+ characters (e.g. Umlauts, Emojis), an option is to encode the string using JSON, and then escaping all code points above 127 using unicode escape sequences Show archive.org snapshot :

escapeHighASCII('{"foo":"xäy"}') // => '{"foo":"x\\u00e4y"}'

Escaping high ASCII in JavaScript 

function escapeHighASCII(string) {
  let unicodeEscape = (char) => "\\u" + char.charCodeAt(0).toString(16).padStart(4, '0')
  return string.replace(/[^\x00-\x7F]/g, unicodeEscape)
}

Escaping high ASCII in Ruby 

def escape_high_ascii(string)
  string.gsub(/[[:^ascii:]]/) { |char| "\\u" + char.ord.to_s(16).rjust(4, "0") }
end
Henning Koch
makandra.com
Say thanks
Last edit
About 1 year ago
Henning Koch
License
Source code in this card is licensed under the MIT License.

Related cards:

RestClient / Net::HTTP: How to communicate with self-signed or misconfigured HTTPS endpoints

Occasionally, you have to talk to APIs via HTTPS that use a custom certificate or a misconfigured certificate chain (like missing an intermediate certificate).

Using RestClient will then raise RestClient::SSLCertificateNotVerified errors, or wh...

Why you can't use timezone codes like "PST" or "BST" for Time objects

Rails' ActiveSupport::TimeWithZone objects have both a timezone code and offset, e.g. Thu, 28 Mar 2019 16:00:00 CET +01:00. Ruby's stdlib TZInfo also has time zones, but with different identifiers.
Unfortunately, not all timezone codes can b...

Rails: Flagging all cookies as secure-only to pass a security audit

Why secure-only cookies used to be necessary

Cookies have an optional secure flag. It tells the browser to not send the cookie f...

How to use different encodings for text in HTTP headers

In order to use different encodings than ASCII for HTTP headers use the following syntax:

Header-Key: Header-Value; Parameter-Name*=utf-8''parameter_value_in_utf8_and_encoded_chars

Concrete example how to use an utf8 encoded filename for fil...

Devise: How to allow only HTTP Basic Auth and disable the HTML sign-in form

By default, Devise redirects to a sign-in form when accessing a route that requires authentication. If for some reason you do not want this, but use Basic Authentication (and the corresponding browser username/password dialog) instead, this is a s...

Use non-ASCII characters on IRB and Rails consoles with RVM and Mac OS X

If you are using RVM on a Mac and cannot enter 8+ bit characters on an IRB or Rails console, you are missing the readline package. You will need to re-install your Ruby to fix this:

rvm remove ree
rvm package install readline
rvm in...

Using ActiveRecord with threads might use more database connections than you think

Database connections are not thread-safe. That's why ActiveRecord uses a separate database connection for each thread.

For instance, the following code uses 3 database connections:

3.times do
  Thread.new do
    User.first # first databa...

Using CSS transitions

CSS transitions are a simple animation framework that is built right into browsers. No need for Javascript here. They're supported by all browsers.

Basic usage

Transitions are used to animate the pat...

The Ruby Object Model

In Ruby (almost) everything is an Object. While this enables a lot of powerful features, this concept might be confusing for developers who have been programming in more static languages, such as Java or C#. This card should help understanding t...

Make an HTTP request to a machine but fake the hostname

Consider you have a website vhost listening to www.example.com, redirecting all incoming requests that do not talk about the configured hostname (this is often used to redirect users to http://www.example.com when entering only `http://example...

Posted by Henning Koch to makandra dev (2023-03-05 11:54)
This website uses short-lived cookies to improve usability.
or learn more