Forum Discussion

clemensw's avatar
6 years ago

decode an URL encoded string eg. “%C3%9” --> “ß” ?

Dear Community,

how can we decode an URL encoded string eg. “%C3%9” --> “ß” ?

When calling a URL with ....t5/tag/abc%C3%9Fxyz/tg-p/board-id/abcx
we catch the tag name with: <#assign tagName = pageUtils.getUrlPathParameter("tag")
and display it on the page with: <h1>${tagName}</h1>

Unfortunately it does not work for special character: e.g. ß
„abc%C3%9Fxyz“ is displayed: instead „abcßxyz“ as the URL contains 

How can we convert “%C3%9” back to “ß”?

Thank you, best,
clemensw

  • The standard utility for this purpose is webuisupport.path.parameters.name.get($name).

    I looked up that utility method (pageUtils.getUrlPathParameter(...)). It is custom (not part of the Community FreeMarker API) and has not been implemented correctly. It slices up the URL based on some format assumptions and does not decode the parameter value, so there is a risk of encoding-related bugs or even injection vulnerabilities. It also has the potential to return incorrect data for certain page/param combinations.

    There is not a way today to URL-decode in FreeMarker itself, and we have not added any utility methods for that purpose (unlike, say, Base64).

    A note about URL path encoding: the path of a URL is considered application-specific, so it is less standardized than query string encoding — different websites & applications can use different sorts of encoding schemes. Also, overall the path has different rules (e.g., only QS encoding requires escaping '=' or '&', and only path encoding requires escaping '/'). Therefore, it would not be safe to use a query string encode/decode process for our URL paths, and we would discourage reverse engineering the path encoding, as it is not a platform contract point and may change as required for Community improvements.

1 Reply

  • AndrewF's avatar
    AndrewF
    Khoros Oracle
    6 years ago

    The standard utility for this purpose is webuisupport.path.parameters.name.get($name).

    I looked up that utility method (pageUtils.getUrlPathParameter(...)). It is custom (not part of the Community FreeMarker API) and has not been implemented correctly. It slices up the URL based on some format assumptions and does not decode the parameter value, so there is a risk of encoding-related bugs or even injection vulnerabilities. It also has the potential to return incorrect data for certain page/param combinations.

    There is not a way today to URL-decode in FreeMarker itself, and we have not added any utility methods for that purpose (unlike, say, Base64).

    A note about URL path encoding: the path of a URL is considered application-specific, so it is less standardized than query string encoding — different websites & applications can use different sorts of encoding schemes. Also, overall the path has different rules (e.g., only QS encoding requires escaping '=' or '&', and only path encoding requires escaping '/'). Therefore, it would not be safe to use a query string encode/decode process for our URL paths, and we would discourage reverse engineering the path encoding, as it is not a platform contract point and may change as required for Community improvements.