Home/ Questions/Q 1063881
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T18:51:02+00:00

When encoding a query string to be sent to a web server – when

  • 0

When encoding a query string to be sent to a web server – when do you use escape() and when do you use encodeURI() or encodeURIComponent():

Use escape:

escape("% +&=");

OR

use encodeURI() / encodeURIComponent()

encodeURI("http://www.google.com?var1=value1&var2=value2");

encodeURIComponent("var1=value1&var2=value2");
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    escape()

    Don’t use it!
    escape() is defined in section B.2.1.1 escape and the introduction text of Annex B says:

    … All of the language features and behaviours specified in this annex have one or more undesirable characteristics and in the absence of legacy usage would be removed from this specification. …
    … Programmers should not use or assume the existence of these features and behaviours when writing new ECMAScript code….

    Behaviour:

    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/escape

    Special characters are encoded with the exception of: @*_+-./

    The hexadecimal form for characters, whose code unit value is 0xFF or less, is a two-digit escape sequence: %xx.

    For characters with a greater code unit, the four-digit format %uxxxx is used. This is not allowed within a query string (as defined in RFC3986):

    query       = *( pchar / "/" / "?" )
pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"
unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
pct-encoded   = "%" HEXDIG HEXDIG
sub-delims    = "!" / "$" / "&" / "'" / "(" / ")"
              / "*" / "+" / "," / ";" / "="

    A percent sign is only allowed if it is directly followed by two hexdigits, percent followed by u is not allowed.

    encodeURI()

    Use encodeURI when you want a working URL. Make this call:

    encodeURI("http://www.example.org/a file with spaces.html")

    to get:

    http://www.example.org/a%20file%20with%20spaces.html

    Don’t call encodeURIComponent since it would destroy the URL and return

    http%3A%2F%2Fwww.example.org%2Fa%20file%20with%20spaces.html

    Note that encodeURI, like encodeURIComponent, does not escape the ‘ character.

    encodeURIComponent()

    Use encodeURIComponent when you want to encode the value of a URL parameter.

    var p1 = encodeURIComponent("http://example.org/?a=12&b=55")

    Then you may create the URL you need:

    var url = "http://example.net/?param1=" + p1 + "&param2=99";

    And you will get this complete URL:

    http://example.net/?param1=http%3A%2F%2Fexample.org%2F%Ffa%3D12%26b%3D55&param2=99

    Note that encodeURIComponent does not escape the ' character. A common bug is to use it to create html attributes such as href='MyUrl', which could suffer an injection bug. If you are constructing html from strings, either use " instead of ' for attribute quotes, or add an extra layer of encoding (' can be encoded as %27).

    For more information on this type of encoding you can check: http://en.wikipedia.org/wiki/Percent-encoding

    • 0