Characters allowed in GET parameter
There are reserved characters, that have a reserved meanings, those are delimiters — :/?#[]@
— and subdelimiters — !$&'()*+,;=
There is also a set of characters called unreserved characters — alphanumerics and -._~
— which are not to be encoded.
That means, that anything that doesn't belong to unreserved characters set is supposed to be %-encoded, when they do not have special meaning (e.g. when passed as a part of GET
parameter).
See also RFC3986: Uniform Resource Identifier (URI): Generic Syntax
How can I include special characters in query strings?
You have to encode special characters in URLs. See: http://www.w3schools.com/tags/ref_urlencode.asp
What characters must be escaped in HTML 5?
The specification defines the syntax for normal elements as:
Normal elements can have text, character references, other elements, and comments, but the text must not contain the character U+003C LESS-THAN SIGN (<) or an ambiguous ampersand. Some normal elements also have yet more restrictions on what content they are allowed to hold, beyond the restrictions imposed by the content model and those described in this paragraph. Those restrictions are described below.
So you have to escape <
, or &
when followed by anything that could begin a character reference. The rule on ampersands is the only such rule for quoted attributes, as the matching quotation mark is the only thing that will terminate one. (Obviously, if you don’t want to terminate the attribute value there, escape the quotation mark.)
These rules don’t apply to <script>
and <style>
; you should avoid putting dynamic content in those. (If you have to include JSON in a <script>
, replace <
with \x3c
, the U+2028 character with \u2028
, and U+2029 with \u2029
after JSON serialization.)
Query strings with special characters
Use Server.UrlEncode
:
URLEncode converts characters as follows:
Spaces ( ) are converted to plus signs (+).
Non-alphanumeric characters are escaped to their hexadecimal representation.
Use it this way;
<a href="page2.asp?name=<%= Server.URLEncode(sName) %>">here</a>
What's valid and what's not in a URI query?
That a character is reserved within a generic URL component doesn't mean it must be escaped when it appears within the component or within data in the component. The character must also be defined as a delimiter within the generic or scheme-specific syntax and the appearance of the character must be within data.
The current standard for generic URIs is RFC 3986, which has this to say:
2.2. Reserved Characters
URIs include components and subcomponents that are delimited by characters in the "reserved" set. These characters are called "reserved" because they may (or may not) be defined as delimiters by the generic syntax, by each scheme-specific syntax, or by the implementation-specific syntax of a URI's dereferencing algorithm. If data for a URI component would conflict with a reserved character's purpose as a delimiter [emphasis added], then the conflicting data must be percent-encoded before the URI is formed.
reserved = gen-delims / sub-delimsgen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="3.3. Path Component
[...]pchar = unreserved / pct-encoded / sub-delims / ":" / "@"[...]3.4 Query Component
[...]
query = *( pchar / "/" / "?" )
Thus commas are explicitly allowed within query strings and only need to be escaped in data if specific schemes define it as a delimiter. The HTTP scheme doesn't use the comma or semi-colon as a delimiter in query strings, so they don't need to be escaped. Whether browsers follow this standard is another matter.
Using CSV should work fine for string data, you just have to follow standard CSV conventions and either quote data or escape the commas with backslashes.
As for RFC 2396, it also allows for unescaped commas in HTTP query strings:
2.2. Reserved Characters
Many URI include components consisting of or delimited by, certain
special characters. These characters are called "reserved", since
their usage within the URI component is limited to their reserved
purpose. If the data for a URI component would conflict with the
reserved purpose, then the conflicting data must be escaped before
forming the URI.
Since commas don't have a reserved purpose under the HTTP scheme, they don't have to be escaped in data. The note from § 2.3 about reserved characters being those that change semantics when percent-encoded applies only generally; characters may be percent-encoded without changing semantics for specific schemes and yet still be reserved.
Related Topics
How to Change an Image on Click Using CSS Alone
How to Add Background Image for Input Type="Button"
CSS Selector for Empty or Whitespace
When Does Whitespace Matter in HTML
Possible to Style the CSS3 Resize Function
How to Add Border to a Container with Transparent Gaps in Between
Html5 Video Not Working in Ie 11
Ios7 Font Size Change When Create Nsattributedstring from HTML
How to Indent Multiple Levels of Select Optgroup with CSS
Internet Explorer 11 Word Wrap Is Not Working
Style and Script Tags in HTML Body... Why Not
Is There a Disadvantage of Using 'Display:Table-Cell'On Divs
Is There a Reason to Use a Instead of A:Link or A:Visited in My Stylesheet
@Font-Face Not Working on Mobile
Chrome Could Play HTML5 Mp4 Video But HTML5Test Said Chrome Did Not Support Mp4 Video Codec